Student Alert – Fake Scholarship Apps Fueling the Defarud Scam – cyberpress.org
Since July 2024, Bangladeshi students have been targeted by a covert Android malware campaign termed SikkahBot, which impersonates the Bangladesh Education Board’s scholarship portal.
Distributed via smishing links that redirect through services like bit.ly and short.gy, the fraudulent applications promise financial support but instead harvest personal and banking information and execute unauthorized transactions.
Attackers circulate shortened URLs such as “hxxps://bit[.]ly/Sikkahbord” and “hxxps://downloadapp[.]website/tyup[.]apk” through SMS messages designed to appear as legitimate scholarship notifications.
When victims install the APK, the fake portal offers login via Google or Facebook before requesting detailed personal information, including the student’s full name, academic department, and institution.
A subsequent form solicits wallet numbers, PIN codes, and preferred payment methods under the pretext of scholarship disbursement.
Once these details are provided, the app prompts users to grant a series of invasive permissions that facilitate further exploitation.
These include enabling the Accessibility Service for deep device control, granting SMS read and send access, allowing overlay display on top of other apps, and managing call functions for USSD operations.
SikkahBot employs a multifaceted approach combining phishing, SMS interception, accessibility abuse, and offline transaction execution. Upon installation, it registers an SMSBroadcastReceiver to monitor all incoming messages.
Texts containing bank identifiers such as “bKash,” “NAGAD,” or specific service codes like “16216” are automatically captured and forwarded to a malicious Firebase endpoint.
Meanwhile, the Accessibility Service monitors the foreground application. When it detects a targeted banking app, such as bKash, Nagad, or Dutch-Bangla Bank, it retrieves a stolen PIN from the attacker-controlled server and programmatically populates the app’s login fields.
This automation eliminates the need for user input, allowing for seamless hijacking of banking sessions without alerting the user.
In scenarios where no banking app is active, SikkahBot shifts to USSD-based transactions. The malware fetches USSD codes and SIM slot data from its backend, initiates the dial sequence, and waits for the standard response dialog.
It then simulates touches on interface elements labeled “SEND,” “send,” or “OK” to complete fund transfers. This technique allows the malware to execute financial fraud even in the absence of an internet connection.
Students and institutions must adopt proactive measures to defend against SikkahBot’s evolving tactics. Applications should only be downloaded from verified sources, such as the official Google Play Store. Links received via SMS or social media should be treated with skepticism.
Users should scrutinize permission requests and refuse any unexplained demands for Accessibility Service, overlay controls, or access to SMS and calls.
Enabling multi-factor authentication on mobile banking applications provides an additional security layer that can block unauthorized access even if credentials are compromised.
Deploying reputable mobile security software with real-time scanning capabilities and ensuring that both the Android OS and installed apps remain up to date will reduce the risk of exploitation through known vulnerabilities.
By maintaining vigilant practices and fostering cybersecurity awareness, students can significantly diminish the threat posed by SikkahBot and similar malware campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
Exclusive Cyber Security News platform that provide in-depth analysis about Cyber Attacks, Malware infection, Data breaches, Vulnerabilities, New researches & other Cyber stories.
Contact Us: [email protected]
© Copyright 2024 – Cyber Press
