A newly discovered Android malware, dubbed SikkahBot, is actively targeting students in Bangladesh by posing as official applications from the Bangladesh Education Board. This malware campaign, identified by Cyble Research and Intelligence Labs (CRIL), has been in operation since July 2024.
According to CRIL, the SikkahBot malware is distributed through shortened URLs, including links like bit[.]ly/Sikkahbord, apped[.]short[.]gy, and downloadapp[.]website/tyup[.]apk. These URLs are likely spread through smishing attacks, tricking victims into downloading malicious APK files under the pretense of scholarship applications from government bodies.
Once installed, the fake apps prompt users to log in using their Google or Facebook accounts and request personal details such as name, department, and institute. It then demands financial information, including wallet numbers, wallet PINs, and payment methods. After submission, a fake message informs the victim that a representative will contact them soon, a ploy to buy time while the malware begins its work in the background.
SikkahBot Malware: Permissions Abuse and Automated Banking Fraud
What sets SikkahBot apart is its aggressive abuse of Android permissions. Upon installation, it pushes users to grant high-risk access, including the Accessibility Service, SMS access, call management, and the ability to draw over other apps. These permissions allow it to monitor and manipulate user activity with deep control over the device.
Once these permissions are granted, the malware activates a fake homepage showing doctored images of students supposedly receiving scholarships, part of its social engineering strategy to establish legitimacy.
Behind the scenes, SikkahBot registers a broadcast receiver to intercept all incoming SMS messages. It specifically targets keywords related to mobile banking services widely used in Bangladesh, such as “bKash,” “Nagad,” and “MYGP,” as well as associated service numbers like “16216” and “26969.” Captured messages are then sent to an attacker-controlled Firebase server at update-app-sujon-default-rtdb[.]firebaseio.com.
Accessibility Exploits and Offline USSD Transactions
The malware’s exploitation of the Accessibility Service is particularly dangerous. When it detects that a user is interacting with banking apps such as bKash, Nagad, or Dutch-Bangla Bank, it pulls credentials from its command-and-control server. It attempts to autofill login details, bypassing user input entirely.
If the user isn’t actively using these apps, SikkahBot initiates USSD-based banking transactions. It receives USSD codes and SIM slot information from the server, executes the calls, and automatically interacts with response prompts by clicking on UI elements labeled “SEND” or “OK.” This method allows transactions without requiring internet access, increasing the malware’s reach and reliability in low-connectivity environments.
Evasion and Evolution
Despite its high-risk behavior, SikkahBot malware variants maintain low detection rates on VirusTotal, a factor that highlights the malware’s obfuscation techniques and the attackers’ continued refinement. CRIL reports that more than 10 distinct samples have been discovered, with newer versions incorporating more automated features and sophisticated command execution methods.
“The combination of phishing, automated banking activity, and offline USSD exploitation makes it a highly effective tool for financial fraud against unsuspecting students,” CRIL stated in its technical analysis.
Recommendations for Protection
To protect against malware campaigns like SikkahBot, CRIL stresses the need for improved mobile security awareness and proactive defense strategies. Their key recommendations include:
- Install apps only from trusted sources such as the Google Play Store.
- Avoid clicking on shortened or suspicious links, especially those received via SMS or social media.
- Limit permissions: Do not grant Accessibility or overlay permissions unless absolutely necessary and verified.
- Enable Multi-Factor Authentication (MFA) for financial apps.
- Use mobile security software that includes real-time threat detection.
- Keep Android OS and apps up to date to patch known vulnerabilities.
- Report suspicious activity immediately to your bank and perform a factory reset if necessary.
Cyble’s Threat Intelligence Platform continues to monitor emerging malware like SikkahBot, providing early detection capabilities, infrastructure tracking, and threat attribution. As digital fraud increases in complexity and scope, constant vigilance and cybersecurity hygiene remain the first lines of defense.
