SriLankan.apk: A Deep Dive into the Banking Trojan Draining Accounts Across Sri Lanka

A sophisticated Android banking trojan disguised as a SriLankan Airlines promo is bypassing OTPs and biometric MFA to drain accounts. Here's how the infection chain works, its MITRE ATT&CK mappings, and how to protect yourself and your organization.

SriLankan.apk: A Deep Dive into the Banking Trojan Draining Accounts Across Sri Lanka

In the last decade, Sri Lanka has witnessed a remarkable shift toward digital banking. With over 15 million mobile banking users, the convenience of managing finances via a smartphone has become the backbone of our local economy. However, as we at Forensec have frequently cautioned, this rapid digitalization has outpaced the general public’s awareness of mobile-centric threats. On May 8, 2026, the Sri Lanka Police and the Computer Emergency Readiness Team (CERT|CC) issued a joint high-priority advisory regarding a sophisticated piece of malware known as “SriLankan.apk.” This isn’t just another phishing link; it is a full-scale banking trojan designed specifically to dismantle the security layers implemented by Sri Lankan commercial banks.

As a cybersecurity consultant working within the local landscape, I have seen the aftermath of these attacks firsthand. Multiple accounts across several major commercial banks have been systematically drained over the past fortnight. The attackers are not merely “hacking” accounts in the traditional sense; they are hijacking the very devices we trust to be our digital vaults. This article provides a technical teardown of the SriLankan.apk infection chain, its underlying mechanisms, and the strategic steps required to protect both individual users and financial organizations.

The Infection Chain: How It Spreads

The success of SriLankan.apk lies in its deceptive simplicity. It leverages social engineering to bypass the perimeter security of the Android ecosystem. The attack follows a highly coordinated multi-stage process, which we can map directly to the MITRE ATT&CK Mobile matrix.

Step 1: Initial Access via Phishing (T1660)
The campaign typically begins with a WhatsApp message. In the Sri Lankan context, WhatsApp is more than a messaging app; it is a primary channel for news, business, and social interaction. The message often masquerades as a “SriLankan Airlines Promo” or a seasonal giveaway. Because these messages often come from “trusted” contacts whose devices have already been compromised, the recipient’s guard is naturally lowered.

Step 2: Deceptive Look-alike Domains
The user is prompted to click a link to claim their prize or register for a discount. These links lead to look-alike domains such as srilankan.wuozgo.cc, srilankan.vaco.cc, and srilankan.krgo.cc. These domains are carefully crafted to appear legitimate at a quick glance, especially on a mobile screen where the full URL might be truncated.

Step 3: User Execution and Sideloading (T1204)
Once on the site, the user is instructed to download an application to “validate” their entry. This is where the critical “SriLankan.apk” file is delivered. Since the app is not hosted on the Google Play Store, the user must “sideload” the application. The attackers provide step-by-step instructions on how to bypass Android’s “Install Unknown Apps” security warning, essentially coaching the victim into lowering their own defenses.

Step 4: Persistence and Permission Escalation
Once installed, the app does not immediately show malicious behavior. Instead, it requests a series of “required” permissions. The most critical of these is the request to enable “Accessibility Services.” In the hands of a banking trojan, this is the equivalent of handing over the keys to the kingdom.

What Makes This Trojan Different: The Technical Edge

Most users believe that if they have Multi-Factor Authentication (MFA) enabledu2014specifically SMS OTPs or Biometricsu2014they are safe. SriLankan.apk is designed specifically to prove that assumption wrong. It utilizes several advanced techniques to bypass modern security controls.

Abuse of Accessibility Features (T1624)
The core of this trojan’s power is its abuse of legitimate Android Accessibility APIs. These APIs were designed to help users with disabilities by allowing apps to read the screen content and interact with other applications on the user’s behalf. SriLankan.apk uses these permissions to perform “Overlay Attacks.” It can detect when a banking app (like those from Sampath, BOC, or HNB) is opened and place an invisible layer over it to capture login credentials. More dangerously, it can automatically click “Allow” on permission prompts, effectively granting itself deep system access without the user’s knowledge.

Real-Time SMS Interception (T1646)
The trojan monitors the device for incoming SMS messages. When a bank sends an OTP, the malware intercepts the message, extracts the code, and immediately forwards it to the attacker’s Command and Control (C2) server. In many variants, the malware then deletes the SMS or silences the notification, so the victim never even knows a transaction was initiated. This renders the “Something You Have” (the phone) component of MFA useless, as the attacker has remote access to that “something.”

Capture of Biometric Data and MFA Bypass (T1629)
Perhaps the most alarming feature is its ability to interfere with biometric prompts. While the malware cannot “steal” your actual fingerprint image from the Secure Enclave, it can use its accessibility permissions to trigger a fallback to PIN/Pattern or, in some cases, use the captured biometric template data to spoof a successful authentication within the app’s local environment. By monitoring the screen while a user unlocks their phone or bank app, it can record the pattern or PIN, providing a secondary route for account takeover.

Remote Access and Monitoring (T1657)
Once the trojan is active, it establishes a persistent connection to the C2 server. This allows the attacker to monitor the device in real-time. They can see what the user sees, wait for the user to check their balance (identifying high-value targets), and then initiate transfers during off-peak hours (typically 2:00 AM to 4:00 AM) when the victim is likely asleep and unable to react to bank alerts.

Sri Lanka’s Mobile Banking Vulnerability

Why has this specific trojan been so effective in Sri Lanka? It is a combination of cultural and technical factors. We have a “sideloading culture” where users frequently install modified versions of apps (like “WhatsApp Gold” or cracked versions of paid games) from third-party sites. This has desensitized the public to the risks of installing APKs from outside the official store.

Furthermore, the trust-based nature of our social networks means that a link sent via a WhatsApp group is often treated with more credibility than an official bank advisory. When a friend sends a link about a “SriLankan Airlines Promo,” the recipient assumes the friend has verified it. In reality, the friend’s phone was likely compromised hours earlier by the same trojan.

The banking sector’s response has been commendable, with many banks pushing alerts through their apps. However, if the malware is already on the phone, it can suppress these very alerts. We are seeing a classic “cat and mouse” game where the attackers are leveraging the same technologies designed to protect usu2014like APIs and MFAu2014to exploit us.

How to Protect Yourself: Individual Steps

If you suspect your device may have been exposed, or if you simply want to harden your mobile security, follow these steps immediately:

  • Audit Your Installed Apps: Go to Settings u2192 Apps and meticulously review the list. Look for anything named “SriLankan,” “Promo,” or any app with a generic icon that you don’t remember installing. If you find one, uninstall it immediately.
  • Revoke Sideloading Permissions: Navigate to Settings u2192 Security u2192 Install unknown apps. Ensure that this permission is “Not Allowed” for every single app, especially WhatsApp, Chrome, and your file manager. This is the single most effective way to block 90% of mobile trojans.
  • Re-enroll Your Biometrics: If you believe your device was compromised, your biometric templates (fingerprint/face) might be suspect. Delete all registered fingerprints and facial data from your phone’s security settings and re-register them. This invalidates any session tokens or templates the malware may have attempted to leverage.
  • Check Accessibility Settings: Go to Settings u2192 Accessibility u2192 Installed Apps/Services. If you see any app listed there that you didn’t specifically enable for a known accessibility need, disable it and uninstall the app.
  • Use a Mobile Security Suite: While SriLankan.apk tries to evade detection, reputable mobile antivirus software can often identify the C2 communication patterns or the abuse of accessibility APIs.

How to Protect Your Organization: For Enterprise and Bank IT Teams

For those of us in the IT and security departments of Sri Lankan financial institutions, the responsibility is even greater. We must move beyond simple perimeter defense.

  • Push High-Priority Advisories: Use in-app notifications and SMS (though with caution) to warn users specifically about the “SriLankan.apk” file. Use visual aids to show what the fake domains look like.
  • Implement Behavioral Fraud Detection: Look for anomalies such as transfers initiated from devices that have recently changed their biometric settings or devices that show “Accessibility Services” being active during a banking session.
  • Enforce App Integrity Checks: Utilize Google’s Play Integrity API or Apple’s DeviceCheck to ensure that the user’s device has not been tampered with and that the app is running in a secure environment.
  • Monitor Threat Intelligence: Keep a close watch on new C2 domains. We have seen a rotation from .cc to .top and .xyz domains. Ensure your corporate DNS filters block these look-alike domains.
  • Educate Employees: Corporate devices are often the entry point for larger breaches. Ensure that staff are aware that their work phones are not for “participating in promos” or sideloading personal apps.

References

  • Sri Lanka CERT|CC – Advisory on Mobile Banking Trojans (May 2026)
  • Sri Lanka Police – Cyber Crimes Division Press Release (Ref: CCD/2026/05/08)
  • MITRE ATT&CK Framework: Mobile Matrix (Techniques T1660, T1204, T1624, T1646, T1629)
  • Android Developer Documentation: Accessibility Service Security Best Practices
  • Recent Variants of South Asian Banking Trojans (Cerberus/Anatsa Research)

The threat landscape in Sri Lanka is evolving. SriLankan.apk is a clear signal that attackers are moving toward highly localized, mobile-first campaigns. Stay vigilant, stop sideloading, and remember that no legitimate organization will ever ask you to bypass your phone’s security settings to claim a prize. If it sounds too good to be true, it’s likely a trojan.