Over 25 mn devices at risk: What is FatBoyPanel, the new malware targeting Indian users?
A dairy businessman, 44, from Dharashiv, received a WhatsApp call from someone posing as a bank official. The caller warned him that his account would be suspended unless updated immediately. When the victim panicked and asked how this issue could be resolved, the 'official' offered a simple solution – downloading a 'banking application,' the link of which would be shared on WhatsApp. The link reached him, and the victim downloaded the Android Package Kit (APK) file and installed it. What followed was 26 rapid transactions that drained his entire bank account.
A sophisticated, malicious piece of software, called malware, was the reason.
This isn't an isolated case. In recent years, scammers have increasingly targeted users through APK files laced with malicious software that hijack devices. This week, we take a closer look at one such malware: FatBoyPanel.
What is malware?
Malware, short for 'malicious software', refers to intrusive programs designed by cybercriminals to steal data or damage systems. Common types include viruses, worms, Trojans, spyware, adware, and ransomware.
Recently, in a blog post on the website of Zimperium, a tech company that provides AI-driven mobile security that protects devices and apps from phishing, malware, and zero-day threats, the company said that their research team has identified a malware that steals from the Indian bank accounts: FatBoyPanel.
What is FatBoyPanel?
Nico Chiaraviglio, chief scientist at Zimperium, told indianexpress.com that FatBoyPanel is a mobile-first banking trojan that has been discovered across nearly 900 different applications, primarily targeting Indian users.
The attack begins with social engineering: scammers pose as officials or trusted entities and approach users via WhatsApp. They then send a malicious APK, encouraging the user to install it.
Once installed, the app gains access to sensitive data and steals one-time passwords (OTPs) to execute unauthorised transactions.
'FatBoyPanel is mobile-first, optimised for Indian banking apps, and even supports real-time session hijacking. That makes it especially dangerous in the hands of low-skilled attackers,' said Akshat Khetan, a cyber-legal expert and founder of AU Corporate Advisory and Legal Services (AUCL).
What distinguishes this malware?
'It uses a centralised command structure that controls multiple variants across campaigns, abuses live phone numbers for OTP redirection, and has exfiltrated data from over 25 million devices. This makes it far more organised and dangerous than traditional banking trojans. It is also a new banker trojan that shows constant evolution of threat actors,' Chiaraviglio said.
The malware requests permission to read SMS messages, enabling it to capture OTPs and bypass two-factor authentication in real time. 'It hides its icon after installation and disables Google Play Protect, allowing it to stay hidden and maintain access,' Chiaraviglio said.
'Once permissions are granted, it embeds itself into the system and communicates with its control panel,' Khetan said,
Breach fueled by social engineering
The attackers pose as government agencies or trusted services, sending fake APKs via WhatsApp. This social engineering drives up installation rates,' Chiaraviglio said.
He also shared some numbers: Over 1,50,000 stolen messages were found on the attacker panel, with more than 25 million compromised device records, highlighting the massive scale of this breach. 'The breach exposes how easily users can be manipulated into side-loading apps and how SMS-based OTPs remain a weak link, especially in regions relying on them for banking authentication,' he said.
Pavan Karthick M, threat researcher III at CloudSEK, said, 'This campaign, active since late 2023, uses consistent infrastructure across all samples–FatBoyPanel. It's part of a growing trend where everyday platforms host Command and Control (C2) servers, giving cybercriminals both scalability and operational cover.'
Khetan elaborated on how the malware acts: 'Once deployed, the malware can intercept SMS-based OTPs, log credentials and perform keylogging. It may also use Accessibility Services to perform actions on behalf of the user such as initiating fund transfers within banking apps. In some cases, attackers use remote access tools (RATs) embedded in the payload to execute transactions manually from the victim's device, bypassing traditional fraud detection mechanisms.
How to protect yourself
– Avoid sideloading APKs: Only use official app stores.
– Enable Google Play Protect: Keep it on to scan for harmful apps.
– Use mobile security software: Opt for real-time threat detection.
– Verify app sources: Never trust unknown or unofficial links.
– Check app permissions: Avoid granting SMS, call, or gallery access to unverified apps.
Some malware can even delete itself to avoid detection, making user vigilance critical. 'To better protect users, banks must move away from SMS-based OTPs and embrace stronger multi-factor authentication. In-app protections and local-language awareness campaigns are also key,' Chiaraviglio said.
The Safe Side
As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
News18
31 minutes ago
- News18
Who Is Varun Navani, Indian-Origin Gujarati Techie Whose Baraat Brought Wall Street To A Halt?
Last Updated: Varun Navani, CEO of AI company Rolai, married Amanda Soll in an extravagant Indian wedding that shut down Wall Street, featuring 400 guests and viral videos. The groom of the Indian wedding that halted the Wall Street, a bustling hub in New York, for some time is a techie with Gujarati roots. Indian-origin Varun Navani is the CEO of an AI company, Rolai. The extravagant wedding gained all the limelight after videos from the event went viral on social media. The groom was also seen shaking a leg on Bollywood songs that echoed through the Wall Street. What made this event stand out from other Indian weddings taking place abroad was the Indian attire which was adopted by non-Indian guests too. About 400 guests attended the event, shutting down the Wall Street during the Baraat (wedding procession) ceremony. The video clips were also shared on Instagram by the DJ (@djajmumbai) at the wedding. Sharing the video, he wrote, 'We shut down Wall Street for a 400-person Baraat," shared their DJ, wrote alongside a clip of the epic moment. 'Who would've ever thought?! (sic)" According to media reports, the area can be rented for $11,000 with proper permits. The vibrant gathering adorned in designer clothes got the netizens wondering who the couple was. Varun Navani got hitched to Amanda Soll. The couple hails from Boston. While Varun is a techie, Amanda is a risk-management legal compliance director at MasterCard. All About Varun Navani Varun Navani is the founder and CEO of Rolai, an enterprise AI platform and adoption solution for higher ed institutions. Rolai helps users to learn data analytical skills through AI and machine learning. In a remarkable feat, Navani made it to the list in Forbes 30 under 30 from Boston in 2023, according to his LinkedIn bio. As per media reports, every region blocked for the wedding costed between $25,000 to $60,000 for pavements and roads of the 'Financial District'. The parade was termed as an 'extra large" event by the New York's Mayor Office. As per reports, Soll donned a red Sabyasachi lehenga as she celebrated the key event of her life with her family and friends. On the other hand, Navani wore an elegant ivory sherwani. He made a classic entry into the big-fat Indian wedding in a vintage white car with who seemed to be the groomsmen. This energy-filled event not only gained attention in India but across US too. Watch CNN-News18 here. News18's viral page features trending stories, videos, and memes, covering quirky incidents, social media buzz from india and around the world, Also Download the News18 App to stay updated! Location : New York, United States of America (USA) First Published: May 30, 2025, 17:25 IST News viral Who Is Varun Navani, Indian-Origin Gujarati Techie Whose Baraat Brought Wall Street To A Halt?
Time of India
32 minutes ago
- Time of India
Man arrested for threatening PM in bid to implicate rival
1 2 Bhagalpur: A 35-year-old man, Sameer Kumar Ranjan of Maheshi village in Bhagalpur district, was arrested on Thursday night for allegedly sending a threat message against PM Narendra Modi via a social media platform, using another man's mobile data in a calculated attempt to implicate him over a property dispute. The threat call was made to the Prime Minister's Office. The alert was triggered on Thursday, coinciding with the PM's two-day visit to Bihar, during which he participated in a roadshow in Patna and a public meeting in Bikramganj. Intelligence agencies including the NIA, IB and Bhagalpur police were placed on high alert. Bhagalpur SSP Hriday Kant formed a special investigation team (SIT) led by DSP (law and order) Chandra Bhushan and including officials from the DIU, CIAT and Sultanganj police. The team began a discreet probe to trace the origin of the message. SSP Hriday Kant said a detailed technical analysis led the SIT to a mobile number registered to a septuagenarian, Mantu Chowdhary of Maheshi village. "He said he is illiterate and uses only a basic keypad phone. He claimed Sameer had trapped him," said the SSP. The SIT found that Sameer, a BCA graduate and computer-literate, had used Mantu's mobile data to send the threat via a WhatsApp call using a virtual private network (VPN), which he accessed 71 times through another fingerprint-secured phone. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Perdagangkan CFD Emas dengan Broker Tepercaya IC Markets Mendaftar Undo During interrogation, Sameer confessed to the crime. Sameer had lost his job during the Covid-19 pandemic and had been doing odd jobs, including sharecropping. Police said the threat was part of a deliberate ploy to get Mantu into trouble. "The accused remains in custody at Sultanganj police station under tight security," the SSP said, adding that technical teams will analyse data from the seized cellphone. An expert said VPNs encrypt data and mask IP addresses, making such threats traceable only through in-depth forensic analysis.
News18
33 minutes ago
- News18
Tiger Lunges At Tourist Posing For Photo In Terrifying On-Camera Moment
Last Updated: In the now widely circulated clip, the tourist is seen crouching beside the tiger, while a trainer stands nearby with a stick. What was meant to be a thrilling vacation photo quickly turned into a terrifying ordeal for an Indian tourist at Tiger Kingdom in Thailand's Phuket. While attempting to snap a selfie with a chained tiger, the man was suddenly attacked caught on video which has since gone viral. In the now widely circulated clip, the tourist is seen crouching beside the tiger, while a trainer stands nearby with a stick. Without warning, the tiger lashes out, sparking screams and panic among onlookers. The video ends abruptly as the camera captures the chaos. The tourist's identity hasn't been confirmed and there's been no official update on his condition, leaving many on social media deeply concerned. Tiger Kingdom is no stranger to controversy. The popular tourist attraction offers visitors a chance to get up close and personal with tigers- posing for photos, petting them, and even feeding them but critics have long accused the facility of sedating the animals and compromising safety for the sake of Instagram-worthy moments. This incident has reignited debates about the ethics of wildlife tourism, with many urging stricter oversight. A user wrote on social media, 'Cats generally do not like being petted on the lower (back) body especially near butts. This man was petting the tiger continuously near above mentioned body area which must have frustrated the tiger. Final straw was when the man cupped it for a photo." 'My immediate reaction to this video was a chilling realization: that could have been me! This chilling video exposes a dangerous trend: many Indian tourists are lured into risky photo-ops with tigers in Thailand, often due to relentless peer pressure. These wild animals are heavily drugged to appear docile, but their true nature cannot be tamed. As the sedation fades, a tiger can turn violent, posing a grave threat," while another commented. First Published: May 30, 2025, 14:02 IST
