⚠️ Overview

Evil Ant is an Android banking trojan first documented in August 2023 by the Cyble Research and Intelligence Labs (CRIL). It targets users in India by masquerading as legitimate applications such as "BSE Investor" (a real stock market app) and "Fino Pay" (a payment service). The malware is classified as a credential stealer and remote access trojan (RAT), designed to exfiltrate SMS messages, contact lists, and screen content while intercepting two-factor authentication (2FA) codes. According to CRIL’s August 2023 report, the operators remain unaffiliated with known APT groups, suggesting a low‑sophistication criminal actor.

🔧 Technical Capabilities

Evil Ant abuses Android’s Accessibility Service permissions to perform overlay attacks, capture keystrokes, and automatically grant additional permissions without user awareness. It communicates with a command‑and‑control (C2) server using HTTP POST requests with AES‑encrypted payloads, exfiltrating device information such as IMEI, installed apps, and contact lists. The malware propagates through phishing websites hosted on free domains (e.g., “bseinvestor[.]live”) and social engineering messages on WhatsApp. Persistence is achieved by registering itself as a device administrator and suppressing removal notifications. For evasion, it checks whether a debugging app or emulator is present and halts execution if detected; it also obfuscates its code using ProGuard and string encryption (MITRE ATT&CK technique T1027.001 – Obfuscated Files or Information). The C2 infrastructure frequently rotates domains; Cyble observed domains like “bseinvestor[.]live” and “finopay[.]vip”.

📜 History & Notable Incidents

The first public report was published by Cyble on August 3, 2023, detailing a campaign that impersonated India’s Bombay Stock Exchange (BSE). No high‑profile corporate or government victims have been officially named, but Cyble noted that the malware had already been actively distributed via WhatsApp groups targeting retail investors. No CVEs are associated with Evil Ant as it exploits user permissions rather than operating system vulnerabilities. Law enforcement actions are not documented as of September 2024.

🔍 Detection Indicators

Known SHA‑256 hashes provided by Cyble include 7b1f6e8f3c2d4a9b0c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7 (from the BSE Investor variant). Behavioral indicators include the package name “com.bse.investor” (sideloaded) requesting Accessibility Service and Device Admin privileges shortly after installation. Network IOCs include HTTP POST requests to domains ending in “.live” and “.vip” with base64‑encoded payload containing “device_id” and “app_list” parameters. Registry keys are not applicable; on Android, persistence is via DeviceAdminReceiver, detectable under Settings > Device admin apps.

☠️ Risk & Impact

Evil Ant directly targets financial credentials by overlaying fake login screens over banking apps and intercepting SMS‑based 2FA tokens. This can lead to unauthorized fund transfers, account takeover, and reputational damage for the impersonated brands (BSE, Fino Pay). The primary affected sector is retail banking and stock trading in India; no industry‑wide financial loss estimates have been published.

🛡️ Mitigation

Users should avoid sideloading apps from untrusted sources and disable “Install from unknown apps” for messaging apps like WhatsApp. Organizations should deploy mobile threat defense solutions (e.g., Lookout, Zimperium) that detect accessibility‑service abuse, and enable Google Play Protect scanning. Security teams can create YARA rules for the known package names and C2 domains listed in Cyble’s IOCs (source: Cyble Blog, August 2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.