Anatomy of an AI-Powered Heist: How the 'RewardSteal' Trojan Targets Outdated Phones in India

For millions of Indians using older smartphones, the greatest digital threat in 2025 doesn't announce itself with a virus warning, but with a deceptively simple and enticing text message. This message, perfectly crafted and personalized by AI, is the first step in a sophisticated attack chain that ends with the 'RewardSteal' banking Trojan emptying a victim's bank account. This Trojan, which saw a surge in activity across India in the first quarter of 2025, provides a chilling case study in how AI-powered threats exploit both human psychology and the unpatched vulnerabilities of outdated devices. **Step 1: The AI-Crafted Lure** The attack begins not with code, but with conversation. An AI model, trained on vast datasets of marketing and social media content, generates a highly convincing SMS message. It might read: "Congratulations! Your mobile number was selected in our loyalty program. As a valued customer of [Victim's Mobile Operator], click here to claim your ₹2,500 reward and upgrade your data plan for free." The message is flawless, personalized with the correct operator name, and creates a sense of urgency and legitimacy. For a user of an older, budget smartphone, the offer of a cash reward and a free upgrade is often too good to resist. **Step 2: The Malicious Redirect** Upon clicking the link, the user is not taken to a poorly designed phishing site. Instead, they land on a professional-looking webpage, often a perfect clone of the mobile operator's official site, again generated and hosted through automated systems. The page prompts them to download a special 'rewards' app to claim their prize. The user, believing they are interacting with their trusted service provider, agrees and sideloads the application package file (APK). This action bypasses the security of the official Google Play Store. **Step 3: The Trojan's Entry** The downloaded app is the RewardSteal Trojan in disguise. When the user installs it, the app requests a series of permissions that seem plausible for a rewards app, including access to SMS, contacts, and accessibility services. On an older Android phone, the permission warnings may be less granular or the user may be more inclined to grant them without scrutiny. The key permission is 'Accessibility Services.' Originally designed to assist users with disabilities, this powerful permission allows an app to read the screen, input text, and perform actions on behalf of the user. **Step 4: The Unpatched Exploit and Data Theft** Once granted, RewardSteal lies dormant. When the user opens their legitimate mobile banking app or a UPI payment app, the Trojan springs into action. Using the Accessibility Services permission, it creates an invisible overlay on top of the real app. When the user types their PIN, password, or credit card details, they are unknowingly entering them into the malicious overlay, which captures the credentials and sends them to the attacker's server. Simultaneously, the Trojan leverages its SMS permissions to intercept one-time passwords (OTPs) sent by the bank for transaction verification. In some cases, for phones with known unpatched vulnerabilities, RewardSteal doesn't even need the overlay. It can exploit a flaw in the operating system's framework to directly scrape the login data from the memory of the banking app—a flaw that was patched years ago on newer devices, but remains wide open on this outdated phone. **Step 5: The Financial Heist** The attacker now has everything they need: the victim's banking app credentials and the ability to intercept OTPs. From a remote location, they can log into the victim's bank account, initiate transactions, and approve them using the stolen OTPs. The entire process, from the initial AI-generated text message to the final fraudulent transaction, can take place in minutes. The victim is often left unaware until they check their bank balance, by which time their account has been drained. The RewardSteal Trojan exemplifies the modern mobile threat. It's a hybrid attack that combines sophisticated AI-driven social engineering to manipulate the user with malware designed to exploit the technical weaknesses of unsupported hardware. It's a stark reminder that on an outdated phone, the biggest security vulnerability is often the misplaced trust in a text message.