KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft
KYCShadow is an Android banking malware campaign targeting users in India by masquerading as a bank KYC verification app distributed via WhatsApp. It uses a multi-stage infection process involving deceptive update screens, VPN activation, silent APK installation, and extensive permission abuse. The malware employs native code obfuscation, Firebase-based remote control, VPN traffic manipulation, and WebView phishing to steal credentials and OTPs. It intercepts SMS, controls calls, executes USSD commands, and exfiltrates encrypted data to attacker-controlled domains such as jsonapi. biz. Critical configuration data is hidden in native libraries to evade detection. There is no known patch or official remediation guidance available at this time.
AI Analysis
Technical Summary
KYCShadow is a sophisticated Android banking Trojan targeting Indian users through WhatsApp-distributed fake KYC verification apps. It operates as a multi-stage dropper that installs secondary payloads and maintains persistent command-and-control communication via Firebase. The malware uses native code obfuscation and hides configuration values in native libraries to avoid detection. It manipulates VPN connections to intercept and manipulate traffic, and uses WebView-based phishing interfaces that mimic legitimate banking workflows to steal credentials and OTPs. The payload abuses permissions to intercept SMS messages, control calls, and execute USSD codes. Exfiltrated data is encrypted locally and sent to domains including jsonapi.biz. No CVE or vendor advisory is available, and no patch or fix has been confirmed.
Potential Impact
The malware enables attackers to steal banking credentials and one-time passwords (OTPs), intercept SMS messages, control phone calls, and execute USSD commands on infected devices. This can lead to unauthorized access to victims' bank accounts and financial fraud. The use of VPN manipulation and native code obfuscation complicates detection and mitigation efforts. The campaign specifically targets users in India, increasing risk for that population segment. There are no known exploits in the wild beyond this campaign, and no official remediation or patch is currently documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid installing applications from untrusted sources such as WhatsApp links claiming to be bank KYC apps. Mobile security solutions with behavior-based detection may help identify and block this malware. Monitoring for suspicious VPN activations and unexpected permission requests on Android devices is recommended. Since no official fix or patch is available, user education and cautious app installation practices are critical.
Affected Countries
India
Indicators of Compromise
- domain: jsonserv.biz
- domain: jsonserv.xyz
- domain: jsonapi.biz
- hash: 3da35272ad6d280d3388d57bdbf61b9c
- hash: 0a467a2c936734affc8d796a4e468543b9d182e7
- hash: 1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb
- hash: 34479b18597f1a0deb5d55b8450bc21af1d1f638c4ceca1ee19e6f5ac89d6be2
- url: https://jsonapi.biz
- hash: 10bd31f7d0e47f8c24f58cac962036d342d57057
KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft
Description
KYCShadow is an Android banking malware campaign targeting users in India by masquerading as a bank KYC verification app distributed via WhatsApp. It uses a multi-stage infection process involving deceptive update screens, VPN activation, silent APK installation, and extensive permission abuse. The malware employs native code obfuscation, Firebase-based remote control, VPN traffic manipulation, and WebView phishing to steal credentials and OTPs. It intercepts SMS, controls calls, executes USSD commands, and exfiltrates encrypted data to attacker-controlled domains such as jsonapi. biz. Critical configuration data is hidden in native libraries to evade detection. There is no known patch or official remediation guidance available at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
KYCShadow is a sophisticated Android banking Trojan targeting Indian users through WhatsApp-distributed fake KYC verification apps. It operates as a multi-stage dropper that installs secondary payloads and maintains persistent command-and-control communication via Firebase. The malware uses native code obfuscation and hides configuration values in native libraries to avoid detection. It manipulates VPN connections to intercept and manipulate traffic, and uses WebView-based phishing interfaces that mimic legitimate banking workflows to steal credentials and OTPs. The payload abuses permissions to intercept SMS messages, control calls, and execute USSD codes. Exfiltrated data is encrypted locally and sent to domains including jsonapi.biz. No CVE or vendor advisory is available, and no patch or fix has been confirmed.
Potential Impact
The malware enables attackers to steal banking credentials and one-time passwords (OTPs), intercept SMS messages, control phone calls, and execute USSD commands on infected devices. This can lead to unauthorized access to victims' bank accounts and financial fraud. The use of VPN manipulation and native code obfuscation complicates detection and mitigation efforts. The campaign specifically targets users in India, increasing risk for that population segment. There are no known exploits in the wild beyond this campaign, and no official remediation or patch is currently documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid installing applications from untrusted sources such as WhatsApp links claiming to be bank KYC apps. Mobile security solutions with behavior-based detection may help identify and block this malware. Monitoring for suspicious VPN activations and unexpected permission requests on Android devices is recommended. Since no official fix or patch is available, user education and cautious app installation practices are critical.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/"]
- Adversary
- null
- Pulse Id
- 69f1d2d45ec26fc5e1ca72f4
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainjsonserv.biz | — | |
domainjsonserv.xyz | — | |
domainjsonapi.biz | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash3da35272ad6d280d3388d57bdbf61b9c | — | |
hash0a467a2c936734affc8d796a4e468543b9d182e7 | — | |
hash1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb | — | |
hash34479b18597f1a0deb5d55b8450bc21af1d1f638c4ceca1ee19e6f5ac89d6be2 | — | |
hash10bd31f7d0e47f8c24f58cac962036d342d57057 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://jsonapi.biz | — |
Threat ID: 69f1dbedcbff5d8610f30c01
Added to database: 4/29/2026, 10:22:37 AM
Last enriched: 4/29/2026, 10:38:27 AM
Last updated: 4/29/2026, 10:24:07 PM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.