Fraudulent Scholarship Apps Target Students in “Defarud” Scam Campaign

An Android malware tracker named SikkahBot, active since July 2024 and explicitly targeting students in Bangladesh. Disguised as applications from the Bangladesh Education Board, SikkahBot lures victims with promises of scholarships, coerces them into sharing sensitive information, and requests high-risk permissions.

Once installed, it harvests personal and financial data, intercepts SMS messages, abuses the Accessibility Service, and executes automated banking transactions—including USSD-based operations.

Key Takeaways

• SikkahBot impersonates the Bangladesh Education Board to distribute fraudulent scholarship apps.
• Distribution occurs via shortened links redirecting victims to malicious APK download sites, likely through smishing campaigns.
• The malware harvests personal details and payment information (wallet number, PIN, payment type).
• Victims are coerced into granting Accessibility Service, SMS access, call management, and overlay permissions, enabling deep device control.
• SikkahBot intercepts bank-related SMS, abuses Accessibility Service to autofill credentials in bKash, Nagad, and DBBL apps, and executes automated USSD transactions.
• Active since July 2024, SikkahBot maintains low detection rates on VirusTotal, while newer variants showcase enhanced automation features, indicating continued development by threat actors.

CRIL’s investigation revealed that SikkahBot masquerades as official scholarship portals from the Bangladesh Education Board.

Victims receive phishing messages containing shortened URLs such as hxxps://bit[.]ly/Sikkahbord, hxxps://bit[.]ly/Education-2025, and hxxps://appsloads[.]top/govt[.]apk, which redirect users to APK download sites.

Upon installation, the app prompts students to log in with Google or Facebook, then requests personal details—name, department, and institute—and payment information, including wallet number, PIN, and payment type.

After registration, users are told a representative will contact them, but instead the malware activates its malicious capabilities.

Technical Analysis

Permission Abuse and Data Harvesting

Once installed, SikkahBot presents a settings screen that requests users to enable the Accessibility Service, grant SMS access, manage calls, and allow overlays. These high-risk permissions provide the malware with intrusive control over the device.

SMS Interception

SikkahBot registers an SMS broadcast receiver to monitor incoming texts for keywords related to bKash, Nagad, and MYGP, as well as numbers like 16216 and 26969.

Detected messages are forwarded to the attacker’s Firebase server at hxxps://update-app-sujon-default-rtdb[.]firebaseio.com.

Banking App Manipulation

By abusing the Accessibility Service, SikkahBot tracks user activity in three banking applications—bKash, Nagad, and Dutch-Bangla Bank.

When a targeted app is launched, the malware retrieves a PIN from the Firebase server and automatically injects it into login fields, bypassing user input.

Automated USSD Transactions

If victims avoid targeted banking apps, SikkahBot switches to USSD-based fraud. It fetches USSD codes and SIM slot details from the Firebase server, initiates calls, fills required fields in the USSD response dialog, and simulates taps on “SEND,” “send,” or “ok” buttons. This offline attack enables transactions without an internet connection.

Variant Evolution and Detection

SikkahBot’s initial samples relied on phishing and SMS interception for financial fraud. Since September 2025, CRIL observed enhancements incorporating Accessibility Service automation, indicating evolving tactics.

Despite its persistence since July 2024, SikkahBot’s variants maintain low detection rates on VirusTotal, underscoring the threat actors’ ability to evade traditional security measures.

SikkahBot represents a sophisticated, multi-faceted campaign targeting Bangladeshi students under the guise of scholarship assistance.

By combining phishing, SMS interception, Accessibility Service abuse, and offline USSD automation, attackers can harvest personal and financial data and execute unauthorized transactions.

The malware’s low detection profile and ongoing variant updates highlight the need for heightened mobile security controls, improved threat visibility, and proactive defense strategies.

Organizations and individuals alike should remain vigilant, scrutinize unsolicited scholarship-related downloads, and limit granting high-risk permissions to unverified apps.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!