Cyfirma discovered a dangerous Android banking malware named KYCShadow in April 2026 that is targeting banking users in India by posing as a fake KYC verification app via WhatsApp. It is stealing ATM PIN Aadhaar and card details through two-stage dropper architecture Firebase C2, VPN traffic hijacking and multi-step WebView phishing without the victim even knowing.
The banking process in India has now become largely digital and this digitalization has made peoples lives easier but at the same time it has also opened up an attack surface that hackers have turned into their biggest weapon.
KYC or Know Your Customer is a process that is familiar to every Indian bank user it is mandatory in bank accounts mobile wallets and insurance. And now a completely new and very sophisticated Android banking malware has made this familiarity its core weapon.
Cyfirma researchers identified this campaign named KYCShadow in April 2026 and confirmed that the malware operates through a two-stage dropper architecture. The first application the victim installs is a silent loader that decrypts and deploys a secondary malicious payload in the background the most capable components are hidden in the primary phase to avoid early detection.
This campaign is directly targeting Indias banking users through WhatsApp and the platform on which millions of people trust their families as much as they trust their banks.
The application presents itself as a trusted banking KYC service, exploiting a routine process that millions of Indian bank users are already familiar with. Once installed it takes users through convincing verification screens where mobile numbers ATM PINs Aadhaar numbers and the card details are collected in a single step. When users complete this flow, a fake confirmation message saying Verification in progress is displayed, while all submitted data is then transmitted to the attackers remote server jsonapi[.]biz.
This scam is not new in India a 38 year old CA received a WhatsApp message from the ICICI Bank KYC team in Pune opened the PDF the OTP was intercepted and within minutes his WhatsApp account was hijacked and UPI payments were demanded from his contacts resulting in a loss of Rs 72,000. But KYCShadow goes much further than this it is not just a phishing page, and it is an entire malware ecosystem.
Multi-Stage Dropper Firebase C2 & VPN 3 Layer Attack Setup
This financially motivated malware uses social engineering to persuade users to install a malicious application. The primary application is a stealthy loader that shows victims a fake Update Required prompt. In the background it extracts an embedded encrypted payload, decrypts it and installs a secondary payload via Android session-based PackageInstaller.
To minimize suspicion and maintain persistence and the secondary malicious application deliberately hides its icon from the devices app launcher. Once the secondary payload is activated and the malware asks for permissions for SMS access, phone call control and battery optimization exemption. These permissions allow it to intercept OTPs in real-time adn send and forward SMS messages remotely and place phone calls without user input and run continuously in the background even when the device is idle.
A high-priority SMS receiver intercepts incoming messages, reconstructs PDU and extracts the sender and body and forwards the content in real-time to a remote number and backend via encrypted logs. Enables OTP interception and account takeover.
The malware can also bulk dump SMS inboxes and initiate outbound calls via TelecomManager and execute USSD codes to turn on/off call forwarding or query network status. All runtime events and stolen data are wrapped in JSON structures containing device_id, log_type content and timestamps, locally encrypted and then sent via HTTP POST to jsonapi[.]biz.
The malware embeds critical configuration details including the C2 endpoint, encryption keys and agent identifiers in an obfuscated native library is called libnative-lib.so. This tactic severely limits visibility during static analysis and complicates reverse engineering efforts.
Additionally the malware establishes a local full-tunnel VPN service. Forcing all device traffic through this application-controlled network layer allows attackers to monitor live communications, filter traffic and potentially disrupt cloud-based security scans like Google Play Protect.
Once the secondary payload is activated, an embedded Next.js WebView interface is deployed that mimics official banking KYC compliance screens. Users are manipulated into submitting mobile numbers and ATM PINs, Aadhaar identification numbers and full credit or debit card details all of which is silently passed to the attacker.
The evolution of this campaign from simple string obfuscation to native code concealment clearly demonstrates how technically sophisticated these regional threat actors have become. KYCShadows focus exclusively on Indian banking credentials and identity data strongly aligns with known organized mobile fraud ecosystems that operate within India.
No legitimate bank or financial institution ever asks for Aadhaar number, PAN details, OTPs or net banking credentials over phone calls, SMS, or WhatsApp. Always treat unsolicited KYC calls and messages as a red flag. If you receive a KYC renewal notification via SMS or email, go directly to the banks official app or website. Never click on links and they never install APK files from unknown sources.
Enable two-step verification on WhatsApp regularly check linked devices and immediately report and block suspicious numbers. Make elderly family members especially aware of such attacks as they are most vulnerable to these psychological triggers.
