FatBoyPanel: Android Malware Campaign Targeting Millions of Indian Users

FatBoyPanel is a newly identified malware panel actively targeting Indian users. It is being sold on cybercrime forums and is designed to steal sensitive data including credentials, OTPs, and banking information. The malware is modular, delivered via phishing campaigns and malicious APK files, and is capable of device takeover and remote access.

Severity Level: High

THREAT OVERVIEW:

1. Threat Actor: Known by the alias FatBoy, the operator is deeply integrated into multiple Telegram groups and underground forums. Acts as a broker, SIM swapper, and phishing kit distributor.
2. Tool/Platform Used: FatBoyPanel – A web-based admin toolkit offering access to breached data, OTP logs, SIM swap APIs, and phishing modules.
3. Impact: Affected millions of individuals across India, including data from: telecom subscribers (Jio, Airtel), government portals (e.g., UIDAI), and financial accounts (UPI, net banking credentials).
4. Infrastructure: Operated via a Telegram storefront, cloud hosting, and reverse proxies; with automation bots and data scraping scripts.
5. Commercialization: Services sold on subscription or data-per-record basis. FatBoyPanel advertised as a “plug-and-play” platform for cybercriminals.
   • Attack Methodology:
6. Reconnaissance:
   • FatBoy collected open-source intelligence (OSINT) and existing data leaks to identify high-value Indian targets—primarily telecom operators, banking interfaces, and government digital service portals.
   • Used historical breaches (e.g., telecom KYC leaks, UIDAI details) and botnet dumps to compile credential dictionaries.
7. Delivery:
   • Phishing Attacks: Spear-phishing via SMS and Telegram links (smishing).
   • Fake Dashboards: Cloned versions of UIDAI, telecom, and banking portals lured users into submitting credentials and OTPs.
8. Capabilities:
   • Credential Theft: Extracts stored login data from banking apps and services.
   • OTP Interception: Captures SMS-based OTPs to bypass 2FA mechanisms.
   • Remote Access: Attacker can control the device through a web-based control panel.
   • Screen Capture & Keylogging: Captures on-screen activity and inputs, facilitating full surveillance.
   • Persistence Mechanisms: Uses Android permissions to maintain access even after device reboot.
9. Top impersonated financial entities: Axis, RBL, AU, ICICI, Indusland, Dmart, HDFC, PNB, SBI, Union, Canara, and PM Kisan.

Recommendations:

1. Prioritize app-based or hardware MFA over SMS OTPs to prevent OTP-based phishing and SIM swapping.
2. Restrict access to internal portals to only Indian IPs or known secure zones.
3. Encourage users to avoid sharing OTPs, downloading APKs from unofficial sources and educate on phishing awareness.
4. Enforce immediate patching of any exposed APIs or admin panels vulnerable to brute force or known exploits.
5. Enforce strict KYC and identity verification procedures for SIM issuance.
6. Keep Android OS and security software up to date with the latest patches.
7. Enforce mobile device management (MDM) policies with strict application control.

Source:

• https://indianexpress.com/article/technology/tech-news-technology/fatboypanel-new-malware-targeting-indian-users-what-is-it-9965305/
• https://zimperium.com/blog/mobile-indian-cyber-heist-fatboypanel-and-his-massive-data-breach

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

virustotal

No related posts found.