KYCShadow is a sophisticated Android banking Trojan targeting Indian users through WhatsApp-distributed fake KYC verification apps. It operates as a multi-stage dropper that installs secondary payloads and maintains persistent command-and-control communication via Firebase. The malware uses native code obfuscation and hides configuration values in native libraries to avoid detection. It manipulates VPN connections to intercept and manipulate traffic, and uses WebView-based phishing interfaces that mimic legitimate banking workflows to steal credentials and OTPs. The payload abuses permissions to intercept SMS messages, control calls, and execute USSD codes. Exfiltrated data is encrypted locally and sent to domains including jsonapi.biz. No CVE or vendor advisory is available, and no patch or fix has been confirmed.

The malware enables attackers to steal banking credentials and one-time passwords (OTPs), intercept SMS messages, control phone calls, and execute USSD commands on infected devices. This can lead to unauthorized access to victims' bank accounts and financial fraud. The use of VPN manipulation and native code obfuscation complicates detection and mitigation efforts. The campaign specifically targets users in India, increasing risk for that population segment. There are no known exploits in the wild beyond this campaign, and no official remediation or patch is currently documented.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid installing applications from untrusted sources such as WhatsApp links claiming to be bank KYC apps. Mobile security solutions with behavior-based detection may help identify and block this malware. Monitoring for suspicious VPN activations and unexpected permission requests on Android devices is recommended. Since no official fix or patch is available, user education and cautious app installation practices are critical.