Premium

Over 25 mn devices at risk: What is FatBoyPanel, the new malware targeting Indian users?

Malware can steal your data and cause financial loss in ways you might not even imagine. In the 23rd edition of The Safe Side, we explore a dangerous new malware called FatBoyPanel, how it works, and what you can do to stay protected.

While using malicious software to wipe out bank accounts isn’t new, the methods and reach of such scams have evolved drastically with technology. (Express Image/FreePik)

A dairy businessman, 44, from Dharashiv, received a WhatsApp call from someone posing as a bank official. The caller warned him that his account would be suspended unless updated immediately. When the victim panicked and asked how this issue could be resolved, the “official” offered a simple solution – downloading a “banking application,” the link of which would be shared on WhatsApp. The link reached him, and the victim downloaded the Android Package Kit (APK) file and installed it. What followed was 26 rapid transactions that drained his entire bank account.

A sophisticated, malicious piece of software, called malware, was the reason.

This isn’t an isolated case. In recent years, scammers have increasingly targeted users through APK files laced with malicious software that hijack devices. This week, we take a closer look at one such malware: FatBoyPanel.

What is malware?

Malware, short for “malicious software”, refers to intrusive programs designed by cybercriminals to steal data or damage systems. Common types include viruses, worms, Trojans, spyware, adware, and ransomware.

Also Read | He downloaded a WhatsApp image. Minutes later, Rs 2 lakh was gone

Recently, in a blog post on the website of Zimperium, a tech company that provides AI-driven mobile security that protects devices and apps from phishing, malware, and zero-day threats, the company said that their research team has identified a malware that steals from the Indian bank accounts: FatBoyPanel.

What is FatBoyPanel?

Nico Chiaraviglio, chief scientist at Zimperium, told indianexpress.com that FatBoyPanel is a mobile-first banking trojan that has been discovered across nearly 900 different applications, primarily targeting Indian users.

The attack begins with social engineering: scammers pose as officials or trusted entities and approach users via WhatsApp. They then send a malicious APK, encouraging the user to install it.

Story continues below this ad

Once installed, the app gains access to sensitive data and steals one-time passwords (OTPs) to execute unauthorised transactions.

“FatBoyPanel is mobile-first, optimised for Indian banking apps, and even supports real-time session hijacking. That makes it especially dangerous in the hands of low-skilled attackers,” said Akshat Khetan, a cyber-legal expert and founder of AU Corporate Advisory and Legal Services (AUCL).

What distinguishes this malware?

“It uses a centralised command structure that controls multiple variants across campaigns, abuses live phone numbers for OTP redirection, and has exfiltrated data from over 25 million devices. This makes it far more organised and dangerous than traditional banking trojans. It is also a new banker trojan that shows constant evolution of threat actors,” Chiaraviglio said.

The malware requests permission to read SMS messages, enabling it to capture OTPs and bypass two-factor authentication in real time. “It hides its icon after installation and disables Google Play Protect, allowing it to stay hidden and maintain access,” Chiaraviglio said.

Story continues below this ad

“Once permissions are granted, it embeds itself into the system and communicates with its control panel,” Khetan said,

Breach fueled by social engineering

The attackers pose as government agencies or trusted services, sending fake APKs via WhatsApp. This social engineering drives up installation rates,” Chiaraviglio said.

He also shared some numbers: Over 1,50,000 stolen messages were found on the attacker panel, with more than 25 million compromised device records, highlighting the massive scale of this breach. “The breach exposes how easily users can be manipulated into side-loading apps and how SMS-based OTPs remain a weak link, especially in regions relying on them for banking authentication,” he said.

Also Read | Is your child safe online? A handy E-safety guide for every parent

Pavan Karthick M, threat researcher III at CloudSEK, said, “This campaign, active since late 2023, uses consistent infrastructure across all samples–FatBoyPanel. It’s part of a growing trend where everyday platforms host Command and Control (C2) servers, giving cybercriminals both scalability and operational cover.”

Story continues below this ad

Khetan elaborated on how the malware acts: “Once deployed, the malware can intercept SMS-based OTPs, log credentials and perform keylogging. It may also use Accessibility Services to perform actions on behalf of the user such as initiating fund transfers within banking apps. In some cases, attackers use remote access tools (RATs) embedded in the payload to execute transactions manually from the victim’s device, bypassing traditional fraud detection mechanisms.

How to protect yourself

– Avoid sideloading APKs: Only use official app stores.

– Enable Google Play Protect: Keep it on to scan for harmful apps.

– Use mobile security software: Opt for real-time threat detection.

– Verify app sources: Never trust unknown or unofficial links.

– Check app permissions: Avoid granting SMS, call, or gallery access to unverified apps.

Story continues below this ad

Also Read | He lost Rs 90 lakh after joining a WhatsApp group: Investment scams are raging, here’s how to stay safe

Some malware can even delete itself to avoid detection, making user vigilance critical. “To better protect users, banks must move away from SMS-based OTPs and embrace stronger multi-factor authentication. In-app protections and local-language awareness campaigns are also key,” Chiaraviglio said.

The Safe Side

As the world evolves, the digital landscape does too, bringing new opportunities—and new risks. Scammers are becoming more sophisticated, exploiting vulnerabilities to their advantage. In our special feature series, we delve into the latest cybercrime trends and provide practical tips to help you stay informed, secure, and vigilant online.

Ankita Deshkar

Ankita Deshkar is a Deputy Copy Editor and a dedicated fact-checker at The Indian Express. Based in Maharashtra, she specializes in bridging the gap between technical complexity and public understanding. With a deep focus on Cyber Law, Information Technology, and Public Safety, she leads "The Safe Side" series, where she deconstructs emerging digital threats and financial scams. Ankita is also a certified trainer for the Google News Initiative (GNI) India Training Network, specializing in online verification and the fight against misinformation. She is also an AI trainer with ADiRA (AI for Digital Readiness and Advancement) Professional Background & Expertise Role: Fact-checker & Deputy Copy Editor, The Indian Express Experience: Started working in 2016 Ankita brings a unique multidisciplinary background to her journalism, combining engineering logic with mass communication expertise. Her work often intersects regional governance, wildlife conservation, and digital rights, making her a leading voice on issues affecting Central India, particularly the Vidarbha region. Key focus areas include: Fact-Checking & Verification: As a GNI-certified trainer, she conducts workshops on debunking deepfakes, verifying viral claims, and using OSINT (Open Source Intelligence) tools. Cyber Law & IT: With postgraduate specialization in Cyber Law, she decodes the legalities of data privacy, digital fraud, and the evolving landscape of intellectual property rights. Public Safety & Health: Through her "The Safe Side" column, she provides actionable intelligence on avoiding "juice jacking," "e-SIM scams," and digital extortion. Regional Reporting: She provides on-ground coverage of high-stakes issues in Maharashtra, from Maoist surrenders in Gadchiroli to critical healthcare updates and wildlife-human conflict in Nagpur. Education & Credentials Ankita is currently pursuing her PhD in Mass Communication and Journalism, focusing on the non-verbal communication through Indian classical dance forms. Her academic foundation includes: MA in Mass Communication (RTM Nagpur University) Bachelors in Electrical Engineering (RTM Nagpur University) Post Graduate Diploma (PGTD) in Cyber Law and Information Technology Specialization in Intellectual Property Rights Recent Notable Coverage Ankita’s reportage is recognized for its investigative depth and emphasis on accountability: Cyber Security: "Lost money to a scam? Act within the 'golden hour' or risk losing it all" — A deep dive into the critical window for freezing fraudulent transactions. Public Health: "From deep coma to recovery: First fully recovered Coldrif patient discharged" — Investigating the aftermath of pharmaceutical toxins and the healthcare response. Governance & Conflict: "Gadchiroli now looks like any normal city: SP Neelotpal" — An analysis of the socio-political shift in Maoist-affected regions. Signature Beat Ankita is best known for her ability to translate "technical jargon into human stories." Whether she is explaining how AI tools like MahaCrimeOS assist the police or exposing the dire conditions of wildlife transit centres, her writing serves as a bridge between specialized knowledge and everyday safety. Contact & Follow X (Twitter): @ankita_deshkar Email: ankita.deshkar@indianexpress.com ... Read More