Executive Summary

Cyble Research and Intelligence Labs (CRIL) has uncovered an ongoing Android malware tracker named “SikkahBot,” active since July 2024 and explicitly targeting students in Bangladesh. Disguised as applications from the Bangladesh Education Board, the malware lures victims with promises of scholarships, coerces them into sharing sensitive information, and grants high-risk permissions. Once installed, SikkahBot harvests personal and financial data, intercepts SMS messages, abuses the Accessibility Service, and executes automated banking transactions, including USSD-based operations.

Key Takeaways

• SikkahBot targets Bangladesh explicitly by impersonating the Bangladesh Education Board to distribute fraudulent scholarship apps.
• It is distributed via shortened links that redirect to redirecticious APK download sites, which we suspect are being circulated via smishing attacks.
• It harvests sensitive personal details and payment information (wallet number, PIN, payment type).
• Victims are coerced into granting high-risk permissions, such as Accessibility Service, SMS access, call management, and overlay permissions, which enable deep device control.
• The malware intercepts bank-related SMS, abuses Accessibility Service to autofill credentials in banking apps (bKash, Nagad, DBBL) and executes automated USSD-based transactions.
• Active since July 2024, the malware maintains low detection rates on VirusTotal, while newer variants showcase enhanced automation features, highlighting the threat actors‘ ongoing development.

Overview

Cyble Research and Intelligence Labs (CRIL) has identified a new Android malware, “SikkahBot,” active since July 2024, that specifically targets students in Bangladesh. The malware poses as the Bangladesh Education Board to harvest banking information and carry out unauthorized transactions on infected devices. It is distributed through short links that redirect victims to malicious download URLs, which we suspect are being circulated via smishing attacks. The download URLs associated with this campaign are listed below.

• hxxps://bit[.]ly/Sikkahbord
• hxxps://bit[.]ly/Education-2025
• hxxps://bit[.]ly/Educ-govt
• hxxps://bit[.]ly/app-upobitti
• hxxps://bit[.]ly/D43SJ
• hxxp://sbs[.]short[.]gy/
• hxxps://apped[.]short[.]gy/
• hxxps://downloadapp[.]website/tyup[.]apk
• hxxps://appsloads[.]top/govt[.]apk

Upon installation, SikkahBot prompts users to enter sensitive information and then requests multiple permissions, including enabling the Accessibility Service, to facilitate financial fraud. Its primary techniques include phishing combined with SMS harvesting and automated USSD-based transactions. The technical analysis section provides a detailed breakdown of the malware’s operation.

The initial samples suggested that malware relied on phishing and SMS interception to carry out financial fraud. However, starting this month, we observed that the threat actors have enhanced it with Accessibility Service abuse to enable automated transactions. The figure below highlights the differences between the earlier and the latest variant. (see Figure 1)

Although SikkahBot has been active since July 2024, both recent and older variants remain largely undetected on VirusTotal. Our analysis uncovered more than 10 samples linked to this, suggesting ongoing iterations and development. (see Figure 2)

Technical Analysis

Upon installation, SikkahBot prompts students to sign in using either Google or Facebook. Regardless of the chosen login method, the app then requests the student’s personal details, such as name, department, and institute name, as shown in the figure below. (see Figure 3)

After the student’s details are entered, the application moves on to request payment information, including wallet number, wallet PIN, and payment type. Once this data is provided, the user receives a message stating that a representative will contact them soon. (see Figure 4)

After registration, SikkahBot presents a settings screen prompting the user to grant several permissions, including Accessibility Service, SMS access, call management, and the ability to display over other apps. Once these permissions are approved, the victim is redirected to a home page that shows fake banners showcasing other students supposedly receiving scholarships. (see Figure 5)

It then registers an SMSBroadcast receiver to monitor all incoming text messages on the compromised device. It maintains a list of keywords that include bank names such as “bKash,” “NAGAD,” and “MYGP,” along with specific numbers like “16216,” “26969,” and “009638543210.” If an incoming SMS contains any of these keywords, the message is captured and forwarded to the attacker’s server at hxxps://update-app-sujon-default-rtdb[.]firebaseio.com. (see Figure 6)

Similarly, SikkahBot exploits the Accessibility Service to track user activity on three banking applications, “BKash,” “Nagad”, and “Dutch-Bangla Bank” in Bangladesh. When it detects that the user is interacting with any of these apps, it retrieves a PIN from the Firebase server. It attempts to automatically enter it into the login fields, bypassing user input. (see Figure 7)

If the user is not engaging with targeted banking applications, it switches to executing USSD calls to carry out transactions. It receives the USSD code and SIM slot details from the Firebase server and initiates the call. When the USSD response dialog appears, the malware automatically fills in the required fields and attempts to click buttons labelled “SEND,” “send,” or “ok.” This technique enables the malware to perform transactions without an active internet connection. (see Figure 8 and Figure 9)

The combination of phishing, automated banking activity, and offline USSD exploitation makes it a highly effective tool for financial fraud against unsuspecting students.

Conclusion

The SikkahBot Android malware we identified targeting Bangladesh users leverages phishing, SMS interception, Accessibility Service abuse, and offline USSD automation to execute unauthorized transactions. As the primary targets, students face a heightened risk of identity theft and financial fraud. Its ability to remain undetected and multiple active variants highlight the sophistication and persistence of the threat actors.

Reinforcing the imperative to strengthen mobile security controls, enhance threat visibility, and adopt proactive defense strategies is critical to mitigating this threat.

Cyble’s Threat Intelligence Platforms continuously monitor such emerging threats, phishing infrastructure, and malware activity across diverse sources. This proactive intelligence empowers organizations with early detection, brand and domain protection, infrastructure mapping, and attribution. Altogether, these capabilities provide a critical head start in mitigating and responding to evolving cyber threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers.

• Install Apps Only from Trusted Sources:
  Download apps exclusively from official platforms like the Google Play Store. Avoid third-party app stores or links received via SMS, social media, or email.
• Be Cautious with Permissions:
  Never grant accessibility services or overlay permissions unless you’re certain of an app’s legitimacy.
• Watch for Phishing Pages:
  Always verify the URL and avoid suspicious links and websites that ask for sensitive information.
• Enable Multi-Factor Authentication (MFA): Use MFA for banking and financial apps to add an extra layer of protection, even if credentials are compromised.
• Report Suspicious Activity: If you suspect you’ve been targeted or infected, report the incident to your bank and local authorities immediately. Reset credentials and perform a factory reset if needed.
• Use Mobile Security Solutions:Install a mobile security application that includes real-time scanning.
• Keep Your Device Updated: Ensure your Android OS and apps are updated regularly. Security patches often address vulnerabilities exploited by malware.

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)