SikkahBot Malware Defrauds Students Through Fake Scholarship Apps

A new Android malware campaign called SikkahBot is targeting students in Bangladesh, posing as official apps from the Bangladesh Education Board.

The malware has been active since July 2024, using scholarship promises to deceive users, stealing financial and personal details.

Cyble Research and Intelligence Labs (CRIL) reported that SikkahBot spreads through short links that redirect to malicious APK download sites, likely sent via SMS phishing attacks.

Once installed, the application requires students to enter personal information, including their name, department, institute details, and payment information such as account numbers and PINs, after the installation process.

The malware collects this data before requesting high-risk permissions, such as Accessibility Service, SMS access, call management, and overlay permissions, giving attackers complete control of the devices.

The malware intercepts bank-related SMS messages, uses autofill functions in bKash, Nagad, and Dutch-Bangla Bank apps, and performs automated USSD-based transactions.

According to CRIL, “The combination of phishing, automated banking activity, and offline USSD exploitation makes it a highly effective tool for financial fraud against unsuspecting students.”

CRIL reports that SikkahBot remains largely undetected on VirusTotal platforms. Additionally, its new versions include advanced automation features, indicating that attackers continue to improve this attack. CRIL has identified over 10 active malware samples linked to this campaign.

To protect themselves, CRIL advises students to download apps only from authorized stores, avoiding suspicious links, granting dangerous permissions only when necessary, using two-factor authentication on banking apps, and reporting any suspicious activity to their bank immediately. Installing mobile security software and keeping devices updated also function as necessary protection measures.