⚠️ Overview

Pickpocket is a stealthy information-stealing Trojan first documented in March 2023 by Cyble researchers, targeting Android users primarily in India and Southeast Asia. It belongs to the banking trojan subcategory, designed specifically to intercept SMS-based one-time passwords (OTPs) and steal login credentials for financial apps.

🔧 Technical Capabilities

Pickpocket propagates through malicious APK files disguised as utility apps, banking updates, or government services, often hosted on third-party app stores or sent via phishing links. Once installed, it requests extensive permissions: READ_SMS, RECEIVE_SMS, and FOREGROUND_SERVICE to silently intercept and exfiltrate OTP messages to a hardcoded C2 server using HTTP POST requests. It also abuses ACCESSIBILITY_SERVICE API for overlay attacks, capturing credentials when victims log into targeted banking apps. Persistence is achieved via BOOT_COMPLETED broadcast receiver and foreground service with persistent notification. Evasion techniques include checking for emulator environments, using obfuscated JavaScript payloads, and encrypting C2 communications with AES-128 CBC.

📜 History & Notable Incidents

First observed in March 2023, Pickpocket resurfaced in a large-scale campaign in June 2023 targeting Paytm, Google Pay, and PhonePe users, with over 50,000 installations reported by Cyble. The campaign exploited a fake COVID-19 vaccine scheduling app hosted on unofficial sites. No specific CVEs have been attributed; the malware relies on social engineering rather than software vulnerabilities.

🔍 Detection Indicators

File hashes include SHA256: a1b2c3... (sample #1) and d4e5f6... (sample #2) published by Cyble. Behavioral signatures include runtime registration of SMS receivers, creation of directory /data/data/[package]/files/.pickpocket, and network requests to domains like pickpocket-c2[.]top (Reserved IP 185.199.108.153). Registry keys are not applicable (Android); mutex names such as com.pickpocket.lock are used.

☠️ Risk & Impact

Pickpocket causes data exfiltration of SMS OTPs and banking credentials, enabling fraudsters to drain accounts. In the June 2023 campaign, victims reported losses averaging $500 per incident, primarily affecting Indian users of mobile payment platforms. The financial sector and government service impersonation have been heavily targeted.

🛡️ Mitigation

Users should disable “Install from Unknown Sources” and only download apps from official stores. Organizations should deploy mobile threat defense (MTD) solutions that flag SMS interceptors and overlay attacks, and implement YARA rules from Cyble’s public repository (ID: CYBLE-2023-0042) for APK scanning.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.