New Android Malware Exploits Political Trends to Steal Banking Data
New Delhi, Sunday, 24 May 2026.
Disguised as a trending political app, a critical new Android malware is spreading across WhatsApp and Telegram, silently hijacking accessibility features to steal users’ banking data and OTPs.
The Anatomy of a Social Engineering Campaign
On May 24, 2026, Indian cybersecurity firm TraceX Labs escalated warnings regarding a sophisticated Android Remote Access Trojan (RAT) packaged as a political application named “Cockroach Janta Party.apk” [1][4]. The firm first identified the active threat on May 21, 2026, classifying it as a “CRITICAL” risk under report ID IND-022 [3][4]. The malware primarily targets users in India operating on Android versions 8 through 14, leveraging regional political trends to trick victims into manually installing the file outside of the official Google Play Store [1][4].
Hijacking Android’s Core Accessibility Features
Once installed, the spyware executes a comprehensive data exfiltration campaign by requesting a suite of dangerous device permissions [1][6]. These include access to SMS messages, contact lists, call logs, device storage, and the camera [2][6]. However, researchers note that the most severe vulnerability stems from the malware’s abuse of Android’s Accessibility Services [2][5]. In the Android operating system, accessibility features are natively designed to assist users with disabilities, granting broad control over screen reading and interface interactions [GPT].
Covert Communications and Data Exfiltration
To maintain persistence and evade detection, the malware utilizes the Telegram Bot API as its Command-and-Control (C2) server [4]. This infrastructure choice allows the malicious application to blend its communications with standard encrypted internet traffic, masking suspicious activity as routine communication between the Telegram app and Google’s HTTPS servers [4][5]. Through this covert channel, the malware continuously exfiltrates sensitive data, including SIM details, stored documents, and media files, facilitating long-term surveillance, credential theft, and financial fraud [2][4].
Mitigation and Corporate Defense Strategies
In response to the escalating threat, TraceX Labs has issued strict security recommendations for both individual users and corporate IT departments [1][5]. The primary defense is to strictly avoid sideloading applications and to only download software from trusted repositories like the Google Play Store [1][6]. Furthermore, users are advised to enable Google Play Protect, meticulously review app permissions, and transition from SMS-based OTPs to dedicated authenticator applications [1][4]. For devices suspected of compromise, immediate remediation requires uninstalling the application, revoking accessibility permissions, and monitoring financial accounts for unauthorized transactions [alert! ‘TraceX Labs did not specify a deadline for remediation steps, emphasizing immediate and continuous action upon suspicion of compromise’] [4].
Sources
- www.einpresswire.com
- www.sikkimexpress.com
- tracexlabs.com
- www.gujaratsamachar.com
- www.tv5news.in
- www.mymahanagar.com