Advanced Mobile Trojan–Driven eWallet Fraud: Anatomy of Remote Access Attacks and Defense Strategies

Excellent—your research is highly practical and clearly highlights the current <strong data-start="147" data-end="190">smart remote-access–based fraud pattern</strong>.<br data-start="191" data-end="194"> Below is a step-by-step technical analysis explaining <strong data-start="248" data-end="283">how these attacks are occurring</strong>.<div><br></div><div><h3><ol><li>🔍 Type of Attack Observed (Technical Breakdown)</li></ol></h3> <p data-start="343" data-end="400">These incidents primarily represent a combined attack of:</p> <p data-start="402" data-end="471"><strong data-start="402" data-end="471">Mobile Remote Access Trojan (RAT) + Phishing + Social Engineering</strong></p> <hr data-start="473" data-end="476"> <h2 data-start="478" data-end="528">🧩 Step 1: Malicious SMS with Embedded RAT Link</h2> <p data-start="530" data-end="567">Fraudsters send SMS messages such as:</p> <ul data-start="569" data-end="625"> <li data-start="569" data-end="594"> <p data-start="571" data-end="594">“Verify your balance”</p> </li> <li data-start="595" data-end="625"> <p data-start="597" data-end="625">“Prevent eWallet suspension”</p> </li> </ul> <p data-start="627" data-end="653">The link usually leads to:</p> <ul data-start="655" data-end="730"> <li data-start="655" data-end="673"> <p data-start="657" data-end="673">APK downloader</p> </li> <li data-start="674" data-end="700"> <p data-start="676" data-end="700">WebView exploit loader</p> </li> <li data-start="701" data-end="730"> <p data-start="703" data-end="730">Fake security update page</p> </li> </ul> <p data-start="732" data-end="745">When clicked:</p> <p data-start="747" data-end="862">➡ A Trojan application is silently installed on the device<br data-start="805" data-end="808"> ➡ Or browser exploits enable the Accessibility Service</p> <hr data-start="864" data-end="867"> <h2 data-start="869" data-end="920">🧩 Step 2: Accessibility Abuse & Device Takeover</h2> <p data-start="922" data-end="945">The Trojan application:</p> <ul data-start="947" data-end="1094"> <li data-start="947" data-end="984"> <p data-start="949" data-end="984">Obtains Accessibility permissions</p> </li> <li data-start="985" data-end="1004"> <p data-start="987" data-end="1004">Captures screen</p> </li> <li data-start="1005" data-end="1028"> <p data-start="1007" data-end="1028">Performs keylogging</p> </li> <li data-start="1029" data-end="1057"> <p data-start="1031" data-end="1057">Launches overlay attacks</p> </li> <li data-start="1058" data-end="1094"> <p data-start="1060" data-end="1094">Enables remote command execution</p> </li> </ul> <p data-start="1096" data-end="1129">As a result, fraudsters can view:</p> <ul data-start="1131" data-end="1196"> <li data-start="1131" data-end="1154"> <p data-start="1133" data-end="1154">What the user types</p> </li> <li data-start="1155" data-end="1180"> <p data-start="1157" data-end="1180">Which apps are opened</p> </li> <li data-start="1181" data-end="1188"> <p data-start="1183" data-end="1188">OTP</p> </li> <li data-start="1189" data-end="1196"> <p data-start="1191" data-end="1196">PIN</p> </li> </ul> <hr data-start="1198" data-end="1201"> <h2 data-start="1203" data-end="1251">🧩 Step 3: Command to Freeze Device (UI Lock)</h2> <p data-start="1253" data-end="1301">The Trojan receives commands from its server to:</p> <ul data-start="1303" data-end="1404"> <li data-start="1303" data-end="1318"> <p data-start="1305" data-end="1318">Overuse CPU</p> </li> <li data-start="1319" data-end="1347"> <p data-start="1321" data-end="1347">Create infinite overlays</p> </li> <li data-start="1348" data-end="1380"> <p data-start="1350" data-end="1380">Manipulate screen brightness</p> </li> <li data-start="1381" data-end="1404"> <p data-start="1383" data-end="1404">Trigger crash loops</p> </li> </ul> <p data-start="1406" data-end="1413">Result:</p> <p data-start="1415" data-end="1479">📱 Device hangs or screen dims<br data-start="1445" data-end="1448"> 📱 Touch becomes unresponsive</p> <p data-start="1481" data-end="1501">This is known as an:</p> <p data-start="1503" data-end="1540">👉 <strong data-start="1506" data-end="1540">Intentional Device Lock Attack</strong></p> <hr data-start="1542" data-end="1545"> <h2 data-start="1547" data-end="1592">🧩 Step 4: Real-Time Credential Harvesting</h2> <p data-start="1594" data-end="1634">When customers log in to Sonali eWallet:</p> <p data-start="1636" data-end="1670">The Trojan transmits in real time:</p> <ul data-start="1672" data-end="1705"> <li data-start="1672" data-end="1679"> <p data-start="1674" data-end="1679">PIN</p> </li> <li data-start="1680" data-end="1687"> <p data-start="1682" data-end="1687">OTP</p> </li> <li data-start="1688" data-end="1705"> <p data-start="1690" data-end="1705">Session token</p> </li> </ul> <p data-start="1707" data-end="1773">Fraudsters immediately use these credentials on their own systems.</p> <hr data-start="1775" data-end="1778"> <h2 data-start="1780" data-end="1827">🧩 Step 5: Fraudulent Fund Transfer via NPSB</h2> <p data-start="1829" data-end="1844">Fraudsters use:</p> <ul data-start="1846" data-end="1892"> <li data-start="1846" data-end="1859"> <p data-start="1848" data-end="1859">Valid PIN</p> </li> <li data-start="1860" data-end="1873"> <p data-start="1862" data-end="1873">Valid OTP</p> </li> <li data-start="1874" data-end="1892"> <p data-start="1876" data-end="1892">Active session</p> </li> </ul> <p data-start="1894" data-end="1944">to execute fund transfers within <strong data-start="1927" data-end="1943">5–10 minutes</strong>.</p> <hr data-start="1946" data-end="1949"> <h3><span style="font-weight: normal;">Why Current 2FA Fails</span></h3> <p data-start="1976" data-end="1992">2FA consists of:</p> <ul data-start="1994" data-end="2051"> <li data-start="1994" data-end="2022"> <p data-start="1996" data-end="2022">Something you know → PIN</p> </li> <li data-start="2023" data-end="2051"> <p data-start="2025" data-end="2051">Something you have → OTP</p> </li> </ul> <p data-start="2053" data-end="2111">When malware is present, <strong data-start="2078" data-end="2110">both factors are compromised</strong>.</p> <p data-start="2113" data-end="2123">Therefore:</p> <blockquote data-start="2125" data-end="2173"> <p data-start="2127" data-end="2173">The device itself becomes attacker-controlled.</p> </blockquote> <hr data-start="2175" data-end="2178"> <h1 data-start="2180" data-end="2215">Why the Proposed 3FA Is Effective</h1> <p data-start="2217" data-end="2253">Biometric authentication represents:</p> <p data-start="2255" data-end="2275">👉 Something you are</p> <p data-start="2277" data-end="2295">Fraudsters cannot:</p> <ul data-start="2297" data-end="2354"> <li data-start="2297" data-end="2322"> <p data-start="2299" data-end="2322">Replicate fingerprint</p> </li> <li data-start="2323" data-end="2354"> <p data-start="2325" data-end="2354">Replicate facial biometrics</p> </li> </ul> <p data-start="2356" data-end="2386">Even if PIN and OTP are known:</p> <blockquote data-start="2388" data-end="2453"> <p data-start="2390" data-end="2453">Transactions cannot be executed without biometric verification.</p> </blockquote> <hr data-start="2455" data-end="2458"> <h1 data-start="2460" data-end="2479">Architecture View</h1> <p data-start="2481" data-end="2570">User → PIN<br data-start="2491" data-end="2494"> User → OTP<br data-start="2504" data-end="2507"> User → Biometric<br data-start="2523" data-end="2526">   ↓<br data-start="2529" data-end="2532"> Sonali eWallet → Risk Engine → Approve</p> <hr data-start="2572" data-end="2575"> <h1 data-start="2577" data-end="2615">Devices Without Biometric Capability</h1> <p data-start="2617" data-end="2693">A <strong data-start="2619" data-end="2646">threshold-based control</strong> using a Risk-Based Authentication (RBA) model:</p> <div class="TyagGW_tableContainer"><div tabindex="-1" class="group TyagGW_tableWrapper flex flex-col-reverse w-fit"><table data-start="2695" data-end="2812" class="w-fit min-w-(--thread-content-width)"><thead data-start="2695" data-end="2731"><tr data-start="2695" data-end="2731"><th data-start="2695" data-end="2704" data-col-size="sm">Amount</th><th data-start="2704" data-end="2731" data-col-size="sm">Authentication Required</th></tr></thead><tbody data-start="2767" data-end="2812"><tr data-start="2767" data-end="2789"><td data-start="2767" data-end="2782" data-col-size="sm">≤ BDT 10,000</td><td data-start="2782" data-end="2789" data-col-size="sm">2FA</td></tr><tr data-start="2790" data-end="2812"><td data-start="2790" data-end="2805" data-col-size="sm">> BDT 10,000</td><td data-start="2805" data-end="2812" data-col-size="sm">3FA</td></tr></tbody></table></div></div> <p data-start="2814" data-end="2828">This approach:</p> <ul data-start="2830" data-end="2895"> <li data-start="2830" data-end="2854"> <p data-start="2832" data-end="2854">Reduces fraud impact</p> </li> <li data-start="2855" data-end="2895"> <p data-start="2857" data-end="2895">Preserves service for legacy devices</p> </li> </ul> <hr data-start="2897" data-end="2900"> <h1 data-start="2902" data-end="2944">Recommended Add-ons (Security Hardening)</h1> <p data-start="2946" data-end="2978">To further strengthen the model:</p> <ul data-start="2980" data-end="3236"> <li data-start="2980" data-end="3031"> <p data-start="2982" data-end="3031">Device Binding (IMEI + Device Fingerprint Hash)</p> </li> <li data-start="3032" data-end="3090"> <p data-start="3034" data-end="3090">Behavioral Biometrics (typing pattern, touch pressure)</p> </li> <li data-start="3091" data-end="3153"> <p data-start="3093" data-end="3153">Transaction Velocity Check (auto-block on rapid transfers)</p> </li> <li data-start="3154" data-end="3205"> <p data-start="3156" data-end="3205">Silent Push Approval (out-of-band confirmation)</p> </li> <li data-start="3206" data-end="3236"> <p data-start="3208" data-end="3236">Jailbreak / Root Detection</p></li></ul></div>...