Over 25 mn devices at risk: What is FatBoyPanel, the new malware targeting Indian users?

Indian Express

25-04-2025

A dairy businessman, 44, from Dharashiv, received a WhatsApp call from someone posing as a bank official. The caller warned him that his account would be suspended unless updated immediately. When the victim panicked and asked how this issue could be resolved, the 'official' offered a simple solution – downloading a 'banking application,' the link of which would be shared on WhatsApp. The link reached him, and the victim downloaded the Android Package Kit (APK) file and installed it. What followed was 26 rapid transactions that drained his entire bank account.
A sophisticated, malicious piece of software, called malware, was the reason.
This isn't an isolated case. In recent years, scammers have increasingly targeted users through APK files laced with malicious software that hijack devices. This week, we take a closer look at one such malware: FatBoyPanel.
What is malware?
Malware, short for 'malicious software', refers to intrusive programs designed by cybercriminals to steal data or damage systems. Common types include viruses, worms, Trojans, spyware, adware, and ransomware.
Recently, in a blog post on the website of Zimperium, a tech company that provides AI-driven mobile security that protects devices and apps from phishing, malware, and zero-day threats, the company said that their research team has identified a malware that steals from the Indian bank accounts: FatBoyPanel.
What is FatBoyPanel?
Nico Chiaraviglio, chief scientist at Zimperium, told indianexpress.com that FatBoyPanel is a mobile-first banking trojan that has been discovered across nearly 900 different applications, primarily targeting Indian users.
The attack begins with social engineering: scammers pose as officials or trusted entities and approach users via WhatsApp. They then send a malicious APK, encouraging the user to install it.
Once installed, the app gains access to sensitive data and steals one-time passwords (OTPs) to execute unauthorised transactions.
'FatBoyPanel is mobile-first, optimised for Indian banking apps, and even supports real-time session hijacking. That makes it especially dangerous in the hands of low-skilled attackers,' said Akshat Khetan, a cyber-legal expert and founder of AU Corporate Advisory and Legal Services (AUCL).
What distinguishes this malware?
'It uses a centralised command structure that controls multiple variants across campaigns, abuses live phone numbers for OTP redirection, and has exfiltrated data from over 25 million devices. This makes it far more organised and dangerous than traditional banking trojans. It is also a new banker trojan that shows constant evolution of threat actors,' Chiaraviglio said.
The malware requests permission to read SMS messages, enabling it to capture OTPs and bypass two-factor authentication in real time. 'It hides its icon after installation and disables Google Play Protect, allowing it to stay hidden and maintain access,' Chiaraviglio said.
'Once permissions are granted, it embeds itself into the system and communicates with its control panel,' Khetan said,
Breach fueled by social engineering
The attackers pose as government agencies or trusted services, sending fake APKs via WhatsApp. This social engineering drives up installation rates,' Chiaraviglio said.
He also shared some numbers: Over 1,50,000 stolen messages were found on the attacker panel, with more than 25 million compromised device records, highlighting the massive scale of this breach. 'The breach exposes how easily users can be manipulated into side-loading apps and how SMS-based OTPs remain a weak link, especially in regions relying on them for banking authentication,' he said.
Pavan Karthick M, threat researcher III at CloudSEK, said, 'This campaign, active since late 2023, uses consistent infrastructure across all samples–FatBoyPanel. It's part of a growing trend where everyday platforms host Command and Control (C2) servers, giving cybercriminals both scalability and operational cover.'
Khetan elaborated on how the malware acts: 'Once deployed, the malware can intercept SMS-based OTPs, log credentials and perform keylogging. It may also use Accessibility Services to perform actions on behalf of the user such as initiating fund transfers within banking apps. In some cases, attackers use remote access tools (RATs) embedded in the payload to execute transactions manually from the victim's device, bypassing traditional fraud detection mechanisms.
How to protect yourself
– Avoid sideloading APKs: Only use official app stores.
– Enable Google Play Protect: Keep it on to scan for harmful apps.
– Use mobile security software: Opt for real-time threat detection.
– Verify app sources: Never trust unknown or unofficial links.
– Check app permissions: Avoid granting SMS, call, or gallery access to unverified apps.
Some malware can even delete itself to avoid detection, making user vigilance critical. 'To better protect users, banks must move away from SMS-based OTPs and embrace stronger multi-factor authentication. In-app protections and local-language awareness campaigns are also key,' Chiaraviglio said.
The Safe Side
As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.