Indian Banking Trojans: Protecting Your Financial Apps

"Can someone actually steal money from my phone through a virus?" A reader sent this question last week after seeing a news report about a malware campaign targeting SBI users. It's the kind of question that sounds alarmist until you look at the numbers. CERT-In reported a sharp rise in Android banking trojan incidents across India through 2025, with several malware families specifically engineered to attack Indian banking and UPI applications. The money doesn't vanish through some Hollywood-style hack. It disappears through a series of small, deliberate tricks that exploit the way Indian users interact with their phones — and the answer to the reader's question is more nuanced and more troubling than a simple yes.

I want to think through this carefully because banking trojans aren't just a technical problem. They sit at the intersection of software vulnerabilities, human behaviour, regulatory gaps, and the sheer speed at which India's digital payments ecosystem has grown. UPI processes upward of 14 billion transactions a month as of early 2026. That's an enormous attack surface, and the criminals targeting it aren't amateurs. They're well-funded, technically skilled, and they understand Indian users' habits intimately.

How These Trojans Actually Work

The word "trojan" confuses some people because it sounds like old-school computer hacking — something from the era of desktop viruses and floppy disks. Modern banking trojans are Android apps. They look like regular apps. They install like regular apps. And once they're on your phone, they operate with terrifying precision.

The most common delivery method in India is phishing via SMS and WhatsApp. You get a message that looks like it's from your bank, the income tax department, or India Post. The message contains a link to download an "updated" app or a "security patch." The link leads to an APK file — an Android installation package hosted on a server the attacker controls. You download it, install it (after dismissing the security warning your phone shows, because the message told you to), and the trojan is in.

Researchers have documented specific trojan families targeting India. Drinik first appeared in 2021 masquerading as an income tax department app and has been through multiple iterations since. By late 2025, Drinik variants could overlay fake login screens on top of legitimate banking apps from SBI, PNB, ICICI, HDFC, and several others. When you open your real banking app, the trojan detects this and instantly places a pixel-perfect fake login screen over the real one. You type in your credentials, thinking you're logging into your bank. Instead, those credentials go to the attacker. The real app opens behind the overlay, so you might not even notice anything went wrong.

SOVA, originally a Russian-origin trojan, was customised for Indian banking apps around 2023 and has continued to evolve. What makes SOVA particularly nasty is its ability to intercept two-factor authentication. When the trojan has SMS permissions — which it requests during installation, and which many users grant without thinking — it can silently read incoming OTPs, forward them to the attacker's server, and even delete the message so you never see it. Your bank sends an OTP for a transaction you didn't initiate. The trojan reads it, forwards it, deletes it. The transaction goes through. You have no idea until you check your balance.

The Godfather trojan family takes a different approach. It abuses Android's Accessibility Service, a feature designed to help people with disabilities by allowing apps to read screen content, simulate taps, and interact with other apps. When a trojan has Accessibility permissions, it can do almost anything you can do on your phone — open your UPI app, enter a payment, approve the transaction with your UPI PIN (captured via screen recording or a fake overlay), and complete a money transfer. All while you're asleep or the phone is in your pocket. The Accessibility Service permission is the master key to an Android phone, and trojans rely on this.

Screen recording is the backup method. If overlays don't capture your credentials and SMS interception doesn't catch the OTP, the trojan simply records your screen continuously. When you open any financial app and type in your PIN, password, or MPIN, the recording captures it. The footage gets sent to a command-and-control server, where the attacker reviews it and extracts whatever they need. Some variants are selective — they only activate screen recording when they detect a financial app has opened — which makes them harder to spot because they don't drain your battery the way continuous recording would.

Why Indian Users Are Particularly Vulnerable

I think about this a lot, and the vulnerability isn't really about technology. It's about context.

India's UPI adoption happened at a speed that outpaced security awareness. Hundreds of millions of people went from cash transactions to digital payments within a few years. Many of them are first-generation smartphone users. They don't distinguish between an official app and a convincing clone. They don't know what an APK file is or why installing one from a WhatsApp link is dangerous. They grant app permissions because the app asked, and denying permissions feels like something might break.

The SMS culture in India also plays a role. Indians receive an enormous volume of transactional SMS — bank alerts, OTPs, promotional messages, government notifications. We're trained to pay attention to SMS and to act on them quickly. A phishing SMS that says "Your SBI account will be blocked. Download the security update immediately" creates urgency, and urgency overrides caution. The attackers know this. Their messages are designed to trigger a fast, emotional response — fear of losing money, fear of losing account access — before the rational part of your brain kicks in and asks "wait, does this look right?"

Sideloading apps is more common in India than in many Western markets. The Google Play Store is the primary app source, but APK files circulate freely through WhatsApp groups, Telegram channels, and third-party app stores. Some users sideload to get paid apps for free, others because someone shared a link and they didn't question it. Every sideloaded APK is a gamble. Google Play isn't perfect — trojans have slipped past its review process — but it's orders of magnitude safer than installing random APKs from the internet.

There's a class dimension here too. Budget Android phones running older versions of Android (8 or 9, sometimes even 7) lack the newer security features like the Privacy Dashboard, automatic permission revocation for unused apps, and restricted Accessibility Service access that newer versions include. These are the phones used by the most financially vulnerable users — the ones who can least afford to lose money to a trojan. The security gap maps almost perfectly onto the economic gap.

The Distribution Networks Are Getting Sophisticated

The way these trojans reach Indian phones has evolved significantly. Early banking malware spread mainly through sketchy third-party app stores and random APK links. That still happens, but the distribution has gotten more targeted and more convincing. There are now organised campaigns that use bulk SMS services to send out hundreds of thousands of phishing messages designed to look like they come from specific banks. The messages reference the recipient's bank by name — not always accurately, but often enough to catch people who actually bank with that institution.

WhatsApp is the other major vector, and it works differently. Instead of mass-blasting messages, attackers spread malicious APKs through WhatsApp groups — particularly groups centred around finance, investment tips, or government scheme information. A message appears in a group claiming to be an updated version of a banking app, or a new app from the government that offers some benefit. Group members trust messages from groups they've joined, especially if other members share the message or vouch for it. In some cases, the attackers plant members in groups specifically to seed these messages and provide fake testimonials.

Telegram channels have also become distribution points, especially for trojans disguised as modified versions of popular apps — "WhatsApp Gold," "YouTube Premium cracked," or "Free Netflix APK." Users who download these modified apps get the trojan bundled alongside whatever functionality the app promises. The appeal of getting a paid service for free overrides caution, and by the time the user realises something's wrong — if they ever do — the trojan has already captured credentials and established persistence on the device.

A trend I've noticed in CERT-In's recent advisories is the use of progressive web apps (PWAs) and shortcut icons to distribute malware. An attacker sends a link that, instead of downloading an APK, creates a web shortcut on the home screen that looks like a banking app. When the user opens it, they see a convincing login page that sends their credentials directly to the attacker's server. This approach bypasses Android's APK installation warnings entirely because no actual app is being installed — it's just a web page. Distinguishing a real app icon from a malicious shortcut requires looking closely at the icon's properties, which almost nobody does.

The economics behind these operations are worth understanding too. A successful banking trojan campaign targeting Indian users can be surprisingly profitable relative to its cost. Setting up the infrastructure — registering domains, hosting the fake app, configuring the command-and-control server, sending bulk SMS — might cost a few thousand dollars at most. A single successful UPI hijack can net Rs 50,000 or more. Multiply that across hundreds or thousands of victims, and the return on investment dwarfs most legitimate businesses. This economic reality is why these attacks will keep happening and keep getting more sophisticated. There's too much money in it.

Protecting Yourself Without Becoming Paranoid

The goal isn't to make you afraid of your phone. Digital payments are genuinely useful, and UPI has made financial transactions accessible to hundreds of millions of Indians who were previously excluded from the banking system. The goal is to build a few habits that dramatically reduce your risk.

The single most effective thing you can do is never install an APK from a link. Not from SMS. Not from WhatsApp. Not from Telegram. Not from email. If your bank needs you to update their app, you'll find the update in the Google Play Store or Apple App Store. No bank, government agency, or legitimate company distributes their app through SMS links. If someone sends you a link to install an app, it's a scam. Full stop. This one rule, followed consistently, would prevent the majority of banking trojan infections in India.

The second thing: never grant Accessibility Service permission to any app unless you personally need it for a disability-related purpose. No banking app, game, shopping app, or utility needs Accessibility access. If an app asks for it and it's not a screen reader or assistive technology tool, that's a red flag. On Android 13 and above, the system restricts Accessibility access for sideloaded apps by default — another reason to keep your phone updated if possible.

Review your SMS permissions. Go to Settings, then Apps, then Permission Manager, then SMS. Look at which apps can read your text messages. Your banking app might need SMS permission to auto-read OTPs (though many banks are moving away from this). But a game, a flashlight app, a file manager, a wallpaper app — none of these need SMS access. Revoke it.

Enable Google Play Protect. It's on by default on most Android phones, but check: open the Play Store, tap your profile icon, then Play Protect. Make sure scanning is enabled. It's not infallible — no antivirus is — but it catches known trojan signatures and flags suspicious app behaviour. Think of it as a seatbelt: it won't prevent all accidents, but it'll probably save you from the most common ones.

Set UPI transaction limits. Every UPI app lets you set a per-transaction limit and, in some cases, a daily limit. If your normal transactions are under Rs 5,000, set a limit of Rs 5,000 or Rs 10,000. If a trojan tries to initiate a Rs 50,000 transfer, the limit will block it. It's a simple safeguard that caps your potential loss.

Use biometric authentication for financial apps wherever it's available. Fingerprint or face unlock can't be captured by screen overlays or screen recording (the biometric is verified at the hardware level, not through on-screen input). If your banking app supports fingerprint login instead of a typed password, use it. Same for UPI PIN entry — some apps are starting to offer biometric alternatives, though adoption is still limited.

Enable real-time transaction alerts from your bank. Every major Indian bank offers SMS or push notification alerts for transactions above a threshold. Set the threshold to Re 1 — you want to know about every transaction, no matter how small. If an unauthorised transaction happens, you'll know within seconds, and speed matters when reporting fraud. Consider enabling email alerts as well — if a trojan is deleting your SMS alerts (which some do), an email notification to a separate device serves as a backup warning system.

Keep your phone's operating system as up-to-date as possible. Each Android version adds security features that make trojans' lives harder — restricted background access, narrower permissions, improved Accessibility Service controls. If your phone has stopped receiving security updates (which happens to many budget Android phones after two or three years), consider whether it's worth continuing to use it for banking. A phone running Android 9 without security patches is meaningfully more vulnerable than one running Android 14 with current patches. If a new phone isn't in the budget, at least consider moving your banking to a more secure device — even a basic feature phone with SMS banking is safer than a compromised Android smartphone.

If you suspect your phone is already infected — unexplained battery drain, apps you don't remember installing, transactions you didn't make — the immediate steps are: turn off mobile data and Wi-Fi (to cut the trojan's connection to its command server), boot the phone into safe mode (which disables third-party apps), uninstall anything suspicious, and change all your banking passwords from a different, clean device. Contact your bank's fraud helpline immediately. Report the incident at cybercrime.gov.in or call 1930, the national cybercrime helpline. Time matters — the faster you report, the better the chances of recovering funds or freezing the attacker's account.

I come back to the reader's original question: "Can someone actually steal money from my phone through a virus?" Yes, they can. It's happening to thousands of Indians, probably more, and the scale is growing as UPI usage grows. But the same question contains its own implicit follow-up — "and can I stop it?" — and the answer to that is also yes. Not through any single silver bullet, but through a small set of habits that, taken together, make you a vastly harder target. Don't install APKs from links. Don't grant unnecessary permissions. Keep your phone updated. Watch your bank alerts. It's not glamorous advice, but it's the kind that actually works.