![thetirthparmar's tweet photo. They Scammed Money from My Friend’s Uncle with a Fake Axis Bank App, So I Reverse-Engineered the Android RAT Behind It
One month ago, my friend’s uncle received a call from someone pretending to be from “Axis Bank.”
They claimed there was a security issue with his account and convinced him to install a “mandatory update” app.
That “update” was not an update.
It was a stealth Android Remote Access Trojan disguised as a flashlight app:
com.bitmavrick.lumolight
By the time we caught it, the attackers had already withdrawn money from his bank account.
When my friend noticed suspicious OTP spam and unusual activity, she called me.
I exported the APK, moved it to my PC, and started reverse-engineering it solo.
What looked like a normal utility app turned out to be a staged banking malware chain.
The first-stage app used native JNI code as a bootstrapper and hid the real logic behind encrypted assets.
It used AES/CBC asset decryption, where the key was derived from the asset filename plus "1".
Once decrypted, it loaded the next payload in memory using:
dalvik.system.InMemoryDexClassLoader
It also had anti-analysis checks using:
https://api[.]ipapi[.]is/
The app checked for VPN, TOR, proxy, datacenter IPs, and suspicious analysis conditions to avoid researchers and sandboxes.
Inside the hidden payload, I found another package:
com.rolv.saxonnaias
This showed a fake Axis Bank update screen to make the scam look legitimate.
But in the background, it installed real payloads:
Sam[.]AxisBank[.]Mobile
and a companion app:
com[.]kh[.]guamanianprediction
The capabilities were dangerous:
SMS interception
Notification capture
SIM information theft
Device information collection
OTP monitoring
Remote call forwarding using USSD commands
Remote control through cloud config
The attackers controlled infected devices using Firebase Realtime Database.
I found Firebase nodes for device info, call forwarding, SMS forwarding, dynamic Telegram config, bot token, chat ID, and command values.
For exfiltration, the malware used Telegram Bot API methods like:
sendMessage
sendDocument
sendPhoto
The full chain was clear:
Fake bank call → victim installs fake app → staged loader decrypts hidden payload → payload collects sensitive data → attacker controls device using Firebase → stolen data goes to Telegram → money gets withdrawn.
The scary part is how polished this was.
It used native code hiding, encrypted payloads, in-memory DEX loading, anti-analysis checks, fake banking UI, Firebase C2, Telegram exfiltration, SMS stealing, notification stealing, and USSD-based call forwarding.
Despite heavy obfuscation, malformed stage-2 DEX files, native hiding, encrypted blobs, and long-string decoders, I was able to map the full chain.
I recovered the loading logic, decrypted the assets, identified native entry points, exposed the Firebase command schema, and documented the Telegram exfiltration flow.
After completing the analysis, I prepared the findings and reported everything to the authorities.
This case was personal because it affected someone close to my friend.
But it also shows how fast Android banking threats are evolving in India.
Scammers are combining fake bank calls with real malware, cloud infrastructure, and stealthy Android techniques.
For researchers: always look beyond the surface APK. The real payload may be encrypted, loaded in memory, hidden behind JNI, or delivered through staged logic.
#CyberSecurity #AndroidMalware #ReverseEngineering #BankingFraud #ThreatHunting #InfoSec #MobileSecurity #MalwareAnalysis](https://pbs.twimg.com/media/HJ4J9nMbcAAX-yA.jpg)
![thetirthparmar's tweet photo. They Scammed Money from My Friend’s Uncle with a Fake Axis Bank App, So I Reverse-Engineered the Android RAT Behind It
One month ago, my friend’s uncle received a call from someone pretending to be from “Axis Bank.”
They claimed there was a security issue with his account and convinced him to install a “mandatory update” app.
That “update” was not an update.
It was a stealth Android Remote Access Trojan disguised as a flashlight app:
com.bitmavrick.lumolight
By the time we caught it, the attackers had already withdrawn money from his bank account.
When my friend noticed suspicious OTP spam and unusual activity, she called me.
I exported the APK, moved it to my PC, and started reverse-engineering it solo.
What looked like a normal utility app turned out to be a staged banking malware chain.
The first-stage app used native JNI code as a bootstrapper and hid the real logic behind encrypted assets.
It used AES/CBC asset decryption, where the key was derived from the asset filename plus "1".
Once decrypted, it loaded the next payload in memory using:
dalvik.system.InMemoryDexClassLoader
It also had anti-analysis checks using:
https://api[.]ipapi[.]is/
The app checked for VPN, TOR, proxy, datacenter IPs, and suspicious analysis conditions to avoid researchers and sandboxes.
Inside the hidden payload, I found another package:
com.rolv.saxonnaias
This showed a fake Axis Bank update screen to make the scam look legitimate.
But in the background, it installed real payloads:
Sam[.]AxisBank[.]Mobile
and a companion app:
com[.]kh[.]guamanianprediction
The capabilities were dangerous:
SMS interception
Notification capture
SIM information theft
Device information collection
OTP monitoring
Remote call forwarding using USSD commands
Remote control through cloud config
The attackers controlled infected devices using Firebase Realtime Database.
I found Firebase nodes for device info, call forwarding, SMS forwarding, dynamic Telegram config, bot token, chat ID, and command values.
For exfiltration, the malware used Telegram Bot API methods like:
sendMessage
sendDocument
sendPhoto
The full chain was clear:
Fake bank call → victim installs fake app → staged loader decrypts hidden payload → payload collects sensitive data → attacker controls device using Firebase → stolen data goes to Telegram → money gets withdrawn.
The scary part is how polished this was.
It used native code hiding, encrypted payloads, in-memory DEX loading, anti-analysis checks, fake banking UI, Firebase C2, Telegram exfiltration, SMS stealing, notification stealing, and USSD-based call forwarding.
Despite heavy obfuscation, malformed stage-2 DEX files, native hiding, encrypted blobs, and long-string decoders, I was able to map the full chain.
I recovered the loading logic, decrypted the assets, identified native entry points, exposed the Firebase command schema, and documented the Telegram exfiltration flow.
After completing the analysis, I prepared the findings and reported everything to the authorities.
This case was personal because it affected someone close to my friend.
But it also shows how fast Android banking threats are evolving in India.
Scammers are combining fake bank calls with real malware, cloud infrastructure, and stealthy Android techniques.
For researchers: always look beyond the surface APK. The real payload may be encrypted, loaded in memory, hidden behind JNI, or delivered through staged logic.
#CyberSecurity #AndroidMalware #ReverseEngineering #BankingFraud #ThreatHunting #InfoSec #MobileSecurity #MalwareAnalysis](https://pbs.twimg.com/media/HJ4J9mra0AAq2NW.jpg)
![thetirthparmar's tweet photo. They Scammed Money from My Friend’s Uncle with a Fake Axis Bank App, So I Reverse-Engineered the Android RAT Behind It
One month ago, my friend’s uncle received a call from someone pretending to be from “Axis Bank.”
They claimed there was a security issue with his account and convinced him to install a “mandatory update” app.
That “update” was not an update.
It was a stealth Android Remote Access Trojan disguised as a flashlight app:
com.bitmavrick.lumolight
By the time we caught it, the attackers had already withdrawn money from his bank account.
When my friend noticed suspicious OTP spam and unusual activity, she called me.
I exported the APK, moved it to my PC, and started reverse-engineering it solo.
What looked like a normal utility app turned out to be a staged banking malware chain.
The first-stage app used native JNI code as a bootstrapper and hid the real logic behind encrypted assets.
It used AES/CBC asset decryption, where the key was derived from the asset filename plus "1".
Once decrypted, it loaded the next payload in memory using:
dalvik.system.InMemoryDexClassLoader
It also had anti-analysis checks using:
https://api[.]ipapi[.]is/
The app checked for VPN, TOR, proxy, datacenter IPs, and suspicious analysis conditions to avoid researchers and sandboxes.
Inside the hidden payload, I found another package:
com.rolv.saxonnaias
This showed a fake Axis Bank update screen to make the scam look legitimate.
But in the background, it installed real payloads:
Sam[.]AxisBank[.]Mobile
and a companion app:
com[.]kh[.]guamanianprediction
The capabilities were dangerous:
SMS interception
Notification capture
SIM information theft
Device information collection
OTP monitoring
Remote call forwarding using USSD commands
Remote control through cloud config
The attackers controlled infected devices using Firebase Realtime Database.
I found Firebase nodes for device info, call forwarding, SMS forwarding, dynamic Telegram config, bot token, chat ID, and command values.
For exfiltration, the malware used Telegram Bot API methods like:
sendMessage
sendDocument
sendPhoto
The full chain was clear:
Fake bank call → victim installs fake app → staged loader decrypts hidden payload → payload collects sensitive data → attacker controls device using Firebase → stolen data goes to Telegram → money gets withdrawn.
The scary part is how polished this was.
It used native code hiding, encrypted payloads, in-memory DEX loading, anti-analysis checks, fake banking UI, Firebase C2, Telegram exfiltration, SMS stealing, notification stealing, and USSD-based call forwarding.
Despite heavy obfuscation, malformed stage-2 DEX files, native hiding, encrypted blobs, and long-string decoders, I was able to map the full chain.
I recovered the loading logic, decrypted the assets, identified native entry points, exposed the Firebase command schema, and documented the Telegram exfiltration flow.
After completing the analysis, I prepared the findings and reported everything to the authorities.
This case was personal because it affected someone close to my friend.
But it also shows how fast Android banking threats are evolving in India.
Scammers are combining fake bank calls with real malware, cloud infrastructure, and stealthy Android techniques.
For researchers: always look beyond the surface APK. The real payload may be encrypted, loaded in memory, hidden behind JNI, or delivered through staged logic.
#CyberSecurity #AndroidMalware #ReverseEngineering #BankingFraud #ThreatHunting #InfoSec #MobileSecurity #MalwareAnalysis](https://pbs.twimg.com/media/HJ4J9mabkAATkYU.jpg)
Olivia
Online
seth gambone
@GamboneSeth
Full Stack Blockchain Dev | Advanced Fraud Detection Expert | Certified Crypto Engineer (CCE) - @argonexperts | The Future with - @nexuslabs - supercomputing
United States
Joined May 2021
910 Following
154 Followers
1.3K Posts
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
—Seth
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
—Seth
Hello @welch_hail51651 recent tweet about getting scammed got directed to us at Argon Experts Team(AExT); A top private Cybersecurity firm in partnership with Phantom, specialized in Investigating, tracing and tracking, and to recover scammed or stolen cryptocurrencies.
Kindly send a private message providing some more informations about your situation so that we can escalate this appropriately and recover the funds immediately.
Also, beware of impostors and scammers who pose as recovery experts and asks to send a fee to them.
—Seth
WietseWind hi, I just got scammed on my XRP xaman wallet. I just got offered 16k for an NFT but it took the 16k out of my account. This is the address. Is there any way to get it back. Its my life savings
Hello @MARIED85262315 Your recent tweet about getting scammed got directed to us at Argon Experts Team(AExT); A top private Cybersecurity firm in partnership with Phantom, specialized in Investigating, tracing and tracking, and to recover scammed or stolen cryptocurrencies.
Kindly send a private message providing some more informations about your situation so that we can escalate this appropriately and recover the funds immediately.
Also, beware of impostors and scammers who pose as recovery experts and asks to send a fee to them.
—Seth
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
—Seth
@SpacexBeli I wish the Elon I got scammed by was “real”
We all wish for something!
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
—Seth
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
Seth.
@MartinSLewis I also got scammed 60k .my pension .bank no help they said i knew what i was doing .iv lost all x
They Scammed Money from My Friend’s Uncle with a Fake Axis Bank App, So I Reverse-Engineered the Android RAT Behind It
One month ago, my friend’s uncle received a call from someone pretending to be from “Axis Bank.”
They claimed there was a security issue with his account and convinced him to install a “mandatory update” app.
That “update” was not an update.
It was a stealth Android Remote Access Trojan disguised as a flashlight app:
com.bitmavrick.lumolight
By the time we caught it, the attackers had already withdrawn money from his bank account.
When my friend noticed suspicious OTP spam and unusual activity, she called me.
I exported the APK, moved it to my PC, and started reverse-engineering it solo.
What looked like a normal utility app turned out to be a staged banking malware chain.
The first-stage app used native JNI code as a bootstrapper and hid the real logic behind encrypted assets.
It used AES/CBC asset decryption, where the key was derived from the asset filename plus "1".
Once decrypted, it loaded the next payload in memory using:
dalvik.system.InMemoryDexClassLoader
It also had anti-analysis checks using:
https://api[.]ipapi[.]is/
The app checked for VPN, TOR, proxy, datacenter IPs, and suspicious analysis conditions to avoid researchers and sandboxes.
Inside the hidden payload, I found another package:
com.rolv.saxonnaias
This showed a fake Axis Bank update screen to make the scam look legitimate.
But in the background, it installed real payloads:
Sam[.]AxisBank[.]Mobile
and a companion app:
com[.]kh[.]guamanianprediction
The capabilities were dangerous:
SMS interception
Notification capture
SIM information theft
Device information collection
OTP monitoring
Remote call forwarding using USSD commands
Remote control through cloud config
The attackers controlled infected devices using Firebase Realtime Database.
I found Firebase nodes for device info, call forwarding, SMS forwarding, dynamic Telegram config, bot token, chat ID, and command values.
For exfiltration, the malware used Telegram Bot API methods like:
sendMessage
sendDocument
sendPhoto
The full chain was clear:
Fake bank call → victim installs fake app → staged loader decrypts hidden payload → payload collects sensitive data → attacker controls device using Firebase → stolen data goes to Telegram → money gets withdrawn.
The scary part is how polished this was.
It used native code hiding, encrypted payloads, in-memory DEX loading, anti-analysis checks, fake banking UI, Firebase C2, Telegram exfiltration, SMS stealing, notification stealing, and USSD-based call forwarding.
Despite heavy obfuscation, malformed stage-2 DEX files, native hiding, encrypted blobs, and long-string decoders, I was able to map the full chain.
I recovered the loading logic, decrypted the assets, identified native entry points, exposed the Firebase command schema, and documented the Telegram exfiltration flow.
After completing the analysis, I prepared the findings and reported everything to the authorities.
This case was personal because it affected someone close to my friend.
But it also shows how fast Android banking threats are evolving in India.
Scammers are combining fake bank calls with real malware, cloud infrastructure, and stealthy Android techniques.
For researchers: always look beyond the surface APK. The real payload may be encrypted, loaded in memory, hidden behind JNI, or delivered through staged logic.
#CyberSecurity #AndroidMalware #ReverseEngineering #BankingFraud #ThreatHunting #InfoSec #MobileSecurity #MalwareAnalysis
![thetirthparmar's tweet photo. They Scammed Money from My Friend’s Uncle with a Fake Axis Bank App, So I Reverse-Engineered the Android RAT Behind It
One month ago, my friend’s uncle received a call from someone pretending to be from “Axis Bank.”
They claimed there was a security issue with his account and convinced him to install a “mandatory update” app.
That “update” was not an update.
It was a stealth Android Remote Access Trojan disguised as a flashlight app:
com.bitmavrick.lumolight
By the time we caught it, the attackers had already withdrawn money from his bank account.
When my friend noticed suspicious OTP spam and unusual activity, she called me.
I exported the APK, moved it to my PC, and started reverse-engineering it solo.
What looked like a normal utility app turned out to be a staged banking malware chain.
The first-stage app used native JNI code as a bootstrapper and hid the real logic behind encrypted assets.
It used AES/CBC asset decryption, where the key was derived from the asset filename plus "1".
Once decrypted, it loaded the next payload in memory using:
dalvik.system.InMemoryDexClassLoader
It also had anti-analysis checks using:
https://api[.]ipapi[.]is/
The app checked for VPN, TOR, proxy, datacenter IPs, and suspicious analysis conditions to avoid researchers and sandboxes.
Inside the hidden payload, I found another package:
com.rolv.saxonnaias
This showed a fake Axis Bank update screen to make the scam look legitimate.
But in the background, it installed real payloads:
Sam[.]AxisBank[.]Mobile
and a companion app:
com[.]kh[.]guamanianprediction
The capabilities were dangerous:
SMS interception
Notification capture
SIM information theft
Device information collection
OTP monitoring
Remote call forwarding using USSD commands
Remote control through cloud config
The attackers controlled infected devices using Firebase Realtime Database.
I found Firebase nodes for device info, call forwarding, SMS forwarding, dynamic Telegram config, bot token, chat ID, and command values.
For exfiltration, the malware used Telegram Bot API methods like:
sendMessage
sendDocument
sendPhoto
The full chain was clear:
Fake bank call → victim installs fake app → staged loader decrypts hidden payload → payload collects sensitive data → attacker controls device using Firebase → stolen data goes to Telegram → money gets withdrawn.
The scary part is how polished this was.
It used native code hiding, encrypted payloads, in-memory DEX loading, anti-analysis checks, fake banking UI, Firebase C2, Telegram exfiltration, SMS stealing, notification stealing, and USSD-based call forwarding.
Despite heavy obfuscation, malformed stage-2 DEX files, native hiding, encrypted blobs, and long-string decoders, I was able to map the full chain.
I recovered the loading logic, decrypted the assets, identified native entry points, exposed the Firebase command schema, and documented the Telegram exfiltration flow.
After completing the analysis, I prepared the findings and reported everything to the authorities.
This case was personal because it affected someone close to my friend.
But it also shows how fast Android banking threats are evolving in India.
Scammers are combining fake bank calls with real malware, cloud infrastructure, and stealthy Android techniques.
For researchers: always look beyond the surface APK. The real payload may be encrypted, loaded in memory, hidden behind JNI, or delivered through staged logic.
#CyberSecurity #AndroidMalware #ReverseEngineering #BankingFraud #ThreatHunting #InfoSec #MobileSecurity #MalwareAnalysis](https://pbs.twimg.com/media/HJ4J9nwbQAAaqB2.jpg)
The Biden FBI targets people for their religious beliefs.
The Trump FBI holds people accountable for those actions.
Make this guy famous He just broke the windshield of a Black Man’s car for leaving the ICE Facility
Shoutout to @Patrick_Nealis for catching it on tape
Would be shame if this guy went VIRAL
🚨 MONDAY VOLATILITY INCOMING 🚨
An $ETH CME GAP has formed
Historically, these gaps are filled 95% of the time.
Will the market close it again? 👀
Be ready.
this is what weekends are all about
Trump: "Do you want to see a bad stock market? Try blowing up the Middle East, and then Europe, and then they come for us. We’re not going to let that happen."
JUST IN: $79,000 Bitcoin! 🚀
@davidm138 @ElsajeanJe3884 My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
@Sophialynn7777 Send a direct message to have the issue fixed right away
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
—Seth
My team and I are certified in tracing and tracking down stolen cryptocurrency and helping victims recover their funds without an upfront fee.. Also, beware of the numerous bots account claiming to want to help by recommending you to someone else coz they are all SCAM.
You should send a Direct message to me with more details of the scam to get recovery started.
—Seth
@meiengenesse1 @MAGAVoice I agree. I even blame him for the $64,000.00 i was scammed out of for opening the door for scammers.
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.3M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.6M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.2M followers
Taylor Swift
@taylorswift13
81M followers
Lady Gaga
@ladygaga
72.5M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
69.1M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.6M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.8M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.3M followers