{"id":468,"date":"2026-03-29T01:33:03","date_gmt":"2026-03-29T01:33:03","guid":{"rendered":"http:\/\/quantusintel.group\/osint\/blog\/2026\/03\/29\/the-fake-yono-update-that-hijacked-whatsapp\/"},"modified":"2026-03-29T01:33:03","modified_gmt":"2026-03-29T01:33:03","slug":"the-fake-yono-update-that-hijacked-whatsapp","status":"publish","type":"post","link":"https:\/\/quantusintel.group\/osint\/blog\/2026\/03\/29\/the-fake-yono-update-that-hijacked-whatsapp\/","title":{"rendered":"The Fake YONO Update That Hijacked WhatsApp"},"content":{"rendered":"

Reverse Engineering a Banking Malware Hidden Inside an\u00a0APK<\/h3>\n
\"\"<\/figure>\n

The Call That Started Everything<\/h3>\n

It started with something that looked completely normal.<\/p>\n

A phone\u00a0call.<\/p>\n

Someone claiming to be from SBI customer support<\/strong> informed the victim that their YONO SBI application needed an urgent\u00a0update<\/strong>.<\/p>\n

The reason sounded serious enough to create\u00a0panic.<\/p>\n

\u201cIf you don\u2019t update your AADHAR NO. tonight, your account will be blocked.\u201d<\/em><\/p><\/blockquote>\n

Moments later, a WhatsApp message\u00a0arrived<\/strong>.<\/p>\n

It contained:
\u2022 a message about YONO update
\u2022 a bank-style image
\u2022 an APK\u00a0file<\/p>\n

Trusting the message, the victim downloaded and installed the\u00a0APK.<\/p>\n

And that is when the real problem\u00a0began.<\/p>\n

As soon as the application was installed, the attacker effectively gained control over the victim\u2019s WhatsApp activity<\/strong>.<\/p>\n

Within minutes, the same message, along with the malicious APK, started appearing in multiple chats and WhatsApp\u00a0groups<\/strong>.<\/p>\n

But this time, the sender was not the attacker.<\/p>\n

It was the\u00a0victim.<\/p>\n

Friends and family began replying:
\u201cDid you send this update?\u201d
\u201cIs this a real SBI app?\u201d
\u201cWhy are you sending this\u00a0APK?\u201d<\/em><\/p>\n

The victim had not sent anything.<\/p>\n

At that moment, it became clear that the installed application was not a banking update at all,<\/strong> it was malware that had taken advantage of the device to spread itself through WhatsApp conversations<\/strong>.<\/p>\n

To understand how this was happening, the suspicious APK was extracted from the phone and moved into a controlled Kali Linux environment<\/strong> for deeper analysis.<\/p>\n

What initially looked like a simple banking update had now become a full malware investigation<\/strong>.<\/p>\n

Attack Chain<\/h3>\n
Attacker call
      \u2193
Fake SBI update message
      \u2193
Victim installs APK
      \u2193
Malware loads second-stage payload
      \u2193
Native library loads configuration
      \u2193
Contacts attacker server
      \u2193
Credential harvesting
      \u2193
Propagation through messaging apps<\/pre>\n
The APK That Refused to\u00a0Open<\/h3>\n
When we first moved the suspicious APK into our Kali Linux analysis environment<\/strong>, something strange happened.<\/p>\n
The APK refused to extract properly<\/strong>.<\/p>\n
Our tools immediately showed errors and corrupted headers<\/strong>. At first it looked like the file was simply\u00a0broken.<\/p>\n
But in malware analysis, a corrupted file is often a deliberate trick<\/strong>.<\/p>\n
Attackers sometimes modify APK structures to:<\/p>\n
\u2022 confuse analysis tools
 \u2022 bypass antivirus scanners
 \u2022 hide malicious payloads deeper inside the\u00a0file<\/p>\n
So instead of giving up, we looked\u00a0deeper.<\/p>\n
And that\u2019s when we found the first surprise.<\/p>\n
The Hidden\u00a0APK<\/h3>\n
Inside the APK\u2019s assets folder<\/strong>, another file was\u00a0hiding.<\/p>\n
SBI Aadhaar Update.apk
        \u2502
        \u2514\u2500\u2500 assets\/
            \u251c\u2500\u2500 dummy.apk
            \u251c\u2500\u2500 Google_Play.png
            \u2514\u2500\u2500 main_ui.html<\/pre>\n
This changed everything.<\/p>\n
The APK that the victim installed was not the real\u00a0malware<\/strong>.<\/p>\n
It was just a\u00a0loader<\/strong>.<\/p>\n
The actual malicious payload was hidden inside dummy.apk<\/strong>.<\/p>\n
This technique is commonly used by Android malware to avoid detection and make analysis\u00a0harder<\/strong>.<\/p>\n
Once we extracted the hidden APK, the real investigation began.<\/p>\n
A Suspicious Native\u00a0File<\/h3>\n
Inside the payload, one file immediately caught our attention:<\/p>\n
libsb1bank.cpp.so<\/pre>\n
This was a native C\/C++ library<\/strong>, which attackers often use to hide important data.<\/p>\n
A quick string scan revealed several interesting function\u00a0names:<\/p>\n
Java_com_service_sb1bank_Helper_FormCode
Java_com_service_sb1bank_Helper_DomainUrl
Java_com_service_sb1bank_Helper_WsJwtSecret<\/pre>\n
Even without fully reversing the code, the names tell us a\u00a0lot.<\/p>\n
The library likely contains:<\/p>\n
\u2022 backend server addresses
 \u2022 authentication secrets
 \u2022 configuration values used by the\u00a0malware<\/p>\n
So the next question was\u00a0obvious.<\/p>\n
Where is the malware connecting to?<\/strong><\/p>\n
The GitHub\u00a0Clue<\/h3>\n
While scanning the files, we discovered a suspicious URL:<\/p>\n
https:\/\/slientkill3r.github.io\/changer6\/<\/pre>\n
At first this looked harmless, it\u2019s hosted on GitHub\u00a0Pages<\/strong>.<\/p>\n
But when we queried it, something unusual appeared.<\/p>\n
Instead of normal text, the page returned an encoded string<\/strong>:
aHR0cHM6Ly9zLm5ld2hlYmhhaWVrZGFtLmNvbS9hcGkvcHVibGljIGh0dHBzOi8vcy5uZXdoZWJoYWlla2RhbS5jb20=<\/p>\n
After decoding it from Base64, the real server appeared:<\/p>\n
https:\/\/s.newhebhaiekdam.com\/api\/public<\/pre>\n
This was the actual backend infrastructure used by the\u00a0malware<\/strong>.<\/p>\n
Why Attackers Use\u00a0GitHub<\/h3>\n
This trick is actually very\u00a0clever.<\/p>\n
Instead of storing the real command server inside the malware, the application first contacts\u00a0GitHub<\/strong>.<\/p>\n
The flow looks like\u00a0this:<\/p>\n
Infected phone
      \u2193
GitHub configuration page
      \u2193
Encoded server address
      \u2193
Attacker backend<\/pre>\n
This allows attackers to change their server anytime<\/strong> without modifying the malware\u00a0itself.<\/p>\n
It also helps them avoid detection because GitHub traffic usually looks legitimate<\/strong>.<\/p>\n
The Fake Banking Interface<\/h3>\n
Another file inside the APK revealed how the attackers planned to steal information.<\/p>\n
main_ui.html<\/pre>\n
This file is a fake banking login\u00a0page<\/strong>.<\/p>\n
The malware loads it using Android WebView<\/strong>, making it appear like a normal banking\u00a0screen.<\/p>\n
Victims may\u00a0enter:<\/p>\n
\u2022 bank account details
 \u2022 ATM PIN
 \u2022 Aadhaar information
 \u2022 OTP\u00a0codes<\/p>\n
Those details are then sent directly to the attacker\u2019s server.<\/p>\n
Identifying the Fake YONO Application<\/h3>\n
During device inspection another crucial observation was\u00a0made.<\/p>\n
Two YONO applications<\/strong> were installed on the victim\u2019s\u00a0device.<\/p>\n
One was the legitimate application from the Play\u00a0Store.<\/p>\n
\"\"
Legit APP<\/figcaption><\/figure>\n
The other was the malicious application.<\/p>\n
\"\"
Fake APP<\/figcaption><\/figure>\n
This small visual difference can easily mislead users into believing the application is authentic.<\/p>\n
The malicious application also attempted to mimic the legitimate interface to avoid suspicion.<\/p>\n
Incident Response<\/h3>\n
Once the malicious application was confirmed, immediate response actions were\u00a0taken.<\/p>\n
Steps performed included:<\/p>\n
\u2022 identifying and removing the fake YONO application
\u2022 deleting the malicious APK file from device storage
\u2022 performing a full factory reset of the device
\u2022 advising the victim to change banking credentials<\/p>\n
Indicators of Compromise<\/h3>\n
File Hash:
<\/strong>5a5196ec52e0a3485b3aa4385cd17c59bbcfc54163bd9f17baef606216c7d250<\/p>\n
Domains:
<\/strong>slientkill3r.github.io
s.newhebhaiekdam.comm<\/p>\n
Malware Package:
<\/strong>com.service.sb1bank<\/p>\n
Native Library:
<\/strong>libsb1bank.cpp.so<\/p>\n
Conclusion<\/h3>\n
This investigation demonstrates how attackers combine social engineering with Android malware<\/strong> to compromise mobile\u00a0users.<\/p>\n
The attack chain involved several sophisticated techniques:<\/p>\n