SikkahBot Malware Campaign Lures and Defrauds Students in Bangladesh

    Tuesday, September 2, 2025 In: Threat Research Print

    Date: 09/02/2025

    Severity: High

    Summary

    Our team discovered an Android malware, “SikkahBot,” active since July 2024, targeting students in Bangladesh. Disguised as apps from the Bangladesh Education Board, it lures users with fake scholarships to steal sensitive data. It abuses permissions like SMS access and Accessibility Service to hijack banking credentials in banking apps (bKash, Nagad, DBBL) and automate USSD transactions. Spread via smishing and fake APK links, SikkahBot harvests personal, financial, and mobile wallet details.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    https://downloadapp.website/tyup.apk

    https://downloadapp.website/Educationa.apk

    https://downloadapp.website/education-bangla.apk

    http://downloadapp.website/education2025.apk

    https://downloadapp.website/govt.apk

    https://appsloads.top/govt.apk

    https://appsloads.top/education2025.apk

    http://appsloads.top/sikkahbord.apk

    https://appsloads.top/educationapp.apk

    http://appsloads.top/edu.apk

    https://bit.ly/Sikkahbord

    https://bit.ly/Education-2025

    https://bit.ly/Educ-govt

    https://bit.ly/app-upobitti

    https://bit.ly/D43SJ

    http://sbs.short.gy/

    https://apped.short.gy/

    https://update-app-sujon-default-rtdb.firebaseio.com

    https://smsrecived-3d4ed-default-rtdb.firebaseio.com

    https://educa-41b35-default-rtdb.firebaseio.com

    Hash : 

    a808219e6f4b5f8fb42635e070174d43d5a9314c1b45dcc3434ee106582bbdf8

    c75aa842bdd107cc6483b4a119cf4b008abc745dcd04f06e39e60579798d7581

    881ec7f704a8aa63139040e27b8bbe55c326ef117935cf1dceac4f2012f5919f

    0b7a72b4a7bd307636cf9d7c92798796e255f4fd2735c77294a782959a390fe2

    b785fcc27aa5efee480a321c6bb8f935f684da6c514470c9c1ce9003b05ab45e

    1051fadcae01d6100ad89eb4badc4b9e36726c4812766359e5df62a540f9c312

    4c2c270dc07a49a4e38f826bc2ca276e15be10528e97cca3163ac9bfa211294b

    a6f94cc3720aac3beed82e94fc7822e9b861b6cecaa5b396bd8b79b6c5a402bc

    d856625e6a7bcd8d771605a6f88b934a17baf755f390234404963909c6653d24

    432d22f2bc4a6b63f8e3b7a6563b1756629d1b8da8feb918ab4859045b1dce72

    72f167b9ed0e40c0cb96b4dabf644dad4fd02a0d67a3cd492482c75de57695db

    04feff4706190410a08ad9b35c76118ebefc01c987a0efd7bdf6162c4ec09299

    20509a69e2dfe16f9d13f27b1f7c1b2f55e83317eb42301eb5b4f7953248605e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs :

    domainname like "https://appsloads.top/educationapp.apk" or url like "https://appsloads.top/educationapp.apk" or siteurl like "https://appsloads.top/educationapp.apk" or domainname like "http://appsloads.top/sikkahbord.apk" or url like "http://appsloads.top/sikkahbord.apk" or siteurl like "http://appsloads.top/sikkahbord.apk" or domainname like "https://bit.ly/Sikkahbord" or url like "https://bit.ly/Sikkahbord" or siteurl like "https://bit.ly/Sikkahbord" or domainname like "http://appsloads.top/edu.apk" or url like "http://appsloads.top/edu.apk" or siteurl like "http://appsloads.top/edu.apk" or domainname like "https://bit.ly/app-upobitti" or url like "https://bit.ly/app-upobitti" or siteurl like "https://bit.ly/app-upobitti" or domainname like "http://sbs.short.gy/" or url like "http://sbs.short.gy/" or siteurl like "http://sbs.short.gy/" or domainname like "https://bit.ly/D43SJ" or url like "https://bit.ly/D43SJ" or siteurl like "https://bit.ly/D43SJ" or domainname like "https://appsloads.top/govt.apk" or url like "https://appsloads.top/govt.apk" or siteurl like "https://appsloads.top/govt.apk" or domainname like "https://appsloads.top/education2025.apk" or url like "https://appsloads.top/education2025.apk" or siteurl like "https://appsloads.top/education2025.apk" or domainname  like "https://bit.ly/Education-2025" or url like "https://bit.ly/Education-2025" or siteurl like "https://bit.ly/Education-2025" or domainname like "https://bit.ly/Educ-govt" or url like "https://bit.ly/Educ-govt" or siteurl like "https://bit.ly/Educ-govt" or domainname like "https://update-app-sujon-default-rtdb.firebaseio.com" or url like "https://update-app-sujon-default-rtdb.firebaseio.com" or siteurl like "https://update-app-sujon-default-rtdb.firebaseio.com" or domainname like "https://smsrecived-3d4ed-default-rtdb.firebaseio.com" or url like "https://smsrecived-3d4ed-default-rtdb.firebaseio.com" or siteurl like "https://smsrecived-3d4ed-default-rtdb.firebaseio.com" or domainname like "https://educa-41b35-default-rtdb.firebaseio.com" or url like "https://educa-41b35-default-rtdb.firebaseio.com" or siteurl like "https://educa-41b35-default-rtdb.firebaseio.com" or domainname like "http://downloadapp.website/education2025.apk" or url like "http://downloadapp.website/education2025.apk" or siteurl like "http://downloadapp.website/education2025.apk" or domainname like "https://downloadapp.website/Educationa.apk"or url like "https://downloadapp.website/Educationa.apk"or siteurl like "https://downloadapp.website/Educationa.apk" or domainname like "https://downloadapp.website/govt.apk" or url like "https://downloadapp.website/govt.apk"or siteurl like "https://downloadapp.website/govt.apk" or domainname like "https://downloadapp.website/education-bangla.apk" or url like "https://downloadapp.website/education-bangla.apk" or siteurl like "https://downloadapp.website/education-bangla.apk" or domainname like "https://downloadapp.website/tyup.apk" or url like "https://downloadapp.website/tyup.apk" or siteurl like "https://downloadapp.website/tyup.apk" or domainname like "https://apped.short.gy/" or url like "https://apped.short.gy/" or siteurl like "https://apped.short.gy/" 

    Hash : 

    sha256hash IN ("a6f94cc3720aac3beed82e94fc7822e9b861b6cecaa5b396bd8b79b6c5a402bc","72f167b9ed0e40c0cb96b4dabf644dad4fd02a0d67a3cd492482c75de57695db","a808219e6f4b5f8fb42635e070174d43d5a9314c1b45dcc3434ee106582bbdf8","20509a69e2dfe16f9d13f27b1f7c1b2f55e83317eb42301eb5b4f7953248605e","c75aa842bdd107cc6483b4a119cf4b008abc745dcd04f06e39e60579798d7581","881ec7f704a8aa63139040e27b8bbe55c326ef117935cf1dceac4f2012f5919f","0b7a72b4a7bd307636cf9d7c92798796e255f4fd2735c77294a782959a390fe2","785fcc27aa5efee480a321c6bb8f935f684da6c514470c9c1ce9003b05ab45e","1051fadcae01d6100ad89eb4badc4b9e36726c4812766359e5df62a540f9c312","4c2c270dc07a49a4e38f826bc2ca276e15be10528e97cca3163ac9bfa211294b","d856625e6a7bcd8d771605a6f88b934a17baf755f390234404963909c6653d24","432d22f2bc4a6b63f8e3b7a6563b1756629d1b8da8feb918ab4859045b1dce72","04feff4706190410a08ad9b35c76118ebefc01c987a0efd7bdf6162c4ec09299")

    Reference:

    https://cyble.com/blog/sikkahbot-malware-defrauds-students-in-bangladesh/


    Tags

    MalwareSikkahBotSmishingBangladeshbKashNagadDBBLFake softwareFinancial ServicesEducation

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.