Shadow Banking in Your Pocket: Exposing Android App Used by Money Mules

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.

Sparsh Kulshrestha
March 5, 2024
Green Alert
Last Update posted on
March 5, 2024
Proactive Monitoring of the Dark Web for your organization.

Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Abhishek Mathew
Coauthors image
Santripti Bhujel

What are Money Mules ?

A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions.

In October 2023, CloudSEK identified a critical loophole within India's banking infrastructure. This loophole was actively exploited by Chinese cybercriminals to orchestrate a large-scale money laundering scheme targeting Indian citizens. The scheme leveraged a network exceeding hundreds of thousands of compromised "money mule" accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.

Link to the Report: Chinese Scammers Launder Money via Fraud Payment Gateways: A New Threat to India's Digital Payment Ecosystem

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem. This report focuses on a malicious mobile application (APK) identified as a key tool for onboarding and managing these money mules. Through in-depth analysis, we reveal the functionalities of this APK and the vulnerabilities it exploits, shedding light on the inner workings of this criminal operation.

Image Showing Scam Operations Weaponizing Money Mules

Businesses that Automates Money Laundering

Threat actors have intricately crafted a sophisticated application known as XHelper which functions as a crucial tool for efficiently managing a network of money mules. It serves as the technological backbone for fake payment gateways used in various scams, such as Pig Butchering , Task scams , Loan scams, E-Commerce scams, Illegal gambling apps, etc. The app is distributed through websites posing as legitimate businesses under the guise of "Money Transfer Business."

Image Showing Xhelper dashboard

Image showing how threat actors advertise their business

Funds transferred from mule accounts undergo a complex process, reaching threat actors who convert the funds into cryptocurrencies. After deducting their commission, threat actors pay scammers in USDT. Mules also have the option to receive their commissions in USDT. 

The XHelper app offers various features, including a ranking list for mules to track earnings and compete with others. Additionally, the app incorporates a dedicated support system operating through the binding of Telegram accounts to the APK.

While XHelper serves as a concerning example, it's crucial to recognize this is not an isolated incident. CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams.

Other apps like Xhelper dashboard and being advertised in underground channels

Other apps like Xhelper dashboard and being advertised in underground channels

Other apps like Xhelper 

Exclusive Working of XHelper APK

The XHelper app functions as a central hub for malicious money mules, streamlining the execution of illegal financial transactions. Designed for user-friendly operation, the platform simplifies both payout and collection processes, making it an attractive tool for individuals seeking illegitimate profit.

 

Working of Xhelper App

Collection Orders (Passive Role):

  • Collection orders within XHelper involve the acquisition of funds or assets, often through fraudulent activities orchestrated by external actors.
  • Importantly, money mules do not directly participate in collection activities. Instead, they passively receive incoming funds from scammers utilizing the XHelper platform.

Payout Orders (Active Role):

  • Payout orders within XHelper demand the active participation of money mules. These orders mandate the swift transfer of funds to pre-designated accounts within strict timeframes.
  • Essentially, these outgoing transactions from mule accounts to the app operators mark the final stage of the illicit financial cycle facilitated by XHelper.

Onboarding and Initial Setup

  • Money mules begin by entering their net banking and UPI information within the app. This grants the app access to transfer funds directly into their UPI account.
Initial steps for Money mules for onboarding on the app

Adding a banking details are essential for money mules to gain access to the app

Key Operational Instructions for Money Mules during Onboarding 

Pattern of UPI address:

  • The individuals acting as money mules are asked to register UPI in a specific format. The format includes the username of the mule on the app. This is because the app is using these UPI addresses in a programmatic way to assign orders.
Money mules are asked to register UPI in a specific format

Net Banking Credentials

  • The app in the backend uses net banking to confirm the success of the payout order. Hence it is advised to money mules to ensure that the credentials they are sharing for net banking are correct.
Money mules advised to ensure correct net banking credentials

  • The individuals acting as money mules are asked to not change the password associated with the net banking.
Image showing how Money Mules are Advised Against Password Change

Link to a video from Xhelper app's LMS, providing Key Operational Instructions for Money Mules during onboarding attached here.

Order Processing Workflow for Money Mules on App

Initiation:vcv

  • Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks.
  • The system automatically assigns orders, potentially based on pre-determined criteria or mule profiles.
Image showing the activate and process order functions in the mule app

Order Processing:

  • Upon receiving a payment order notification, mules review the details (likely containing source, destination, and amount information).
  • Following strict adherence guidelines to minimize detection, money mules execute the illicit fund transfer using their linked bank app.
Image Showing how order money mules use bank app to to minimize detection

Verification and Reward:

  • After completing the transfer, mules capture and upload screenshots as proof of execution, indicating success or error.
  • The XHelper system or designated team automatically verifies the screenshots, streamlining the order validation process.
  • Successful order completion translates to financial rewards within the app, incentivizing continued participation.

         

Image Showing how money mules are rewarded after every successful order completion

Link to a video from Xhelper app's LMS on Order Processing Workflow for Money Mules on App attached here.

Key Operational Instructions for Money Mules while Processing Orders

Transfer of OTP ( One time password):

  • The individuals acting as money mules are presented with two alternatives for submitting a One Time Password (OTP), known as "OTP work" and "No OTP work."
  • In OTP work, the money mule can either manually send the SMS to the Mule to finalize the transaction, or the Mule agent offers an application that automatically forwards SMS for all outgoing transactions.
  • On the other hand, in No OTP work, the money mules alter the mobile number linked to the Mule account to match the agent’s mobile number.

Order Completion Timeframe:

  • Time-Sensitive Rewards: Money mules are incentivized to complete payout orders within a strictly enforced 10-minute window. Faster processing translates to higher commissions and rewards, promoting rapid and potentially reckless transaction behavior.

Bank Account Selection:

  • Matched Bank Application: To avoid raising red flags and incurring potential penalties, mules are instructed to strictly use the bank app corresponding to the assigned order. This implies the app might track or verify linked accounts.
Image Showing how money mules are instructed to strictly use the bank app

Payment Method Prioritization:

  • IMPS/UPI Preference: Based on the order type, the XHelper app prioritizes specific payment methods, likely IMPS or UPI. This suggests potential order variations and targeted use of specific financial channels to obscure transactions.

              

Image Showing encouraging money mules to add beneficiaries

Recruitment of Money Mules

Money mules, recruited by individuals called "Agents," operate within a network established through multiple Telegram channels. Agents pose as thriving businesses seeking efficient fund management due to a high transaction volume. The recruitment often occurs through personal connections, with recruiters or agents persuading individuals in their social circles. Crucially, these so-called mules show a distinct preference for corporate bank accounts, which typically have higher transaction limits. This strategic choice allows the illicit network to move large sums of money more efficiently, maximizing the potential gains from their criminal activities.

The xhelper app incorporates an invitation feature:

Referral System: Agents can invite others to join as agents.

Bonuses and Rewards: Referring agents earn bonuses for each successful recruitment.

This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities. Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.

Inviting process and managing money mule agents by the top level Mule agents 

Image Showing how Mule Agents  recruit Money Mules on Telegram 

Link to a video from Xhelper app's LMS showing money mules referral system attached here.  

 

Training of Money Mules

Learning Management System (LMS) for the XHelper APK, an app used by cybercriminals to onboard money mules provides a concerning glimpse into their recruitment and training tactics.

  • Target Audience: Money mules recruited to launder stolen funds using their bank accounts.
  • App Functionality: XHelper app facilitates uploading bank and UPI details, processing orders (likely money laundering transactions), and withdrawing "earnings."
  • Content Focus:
  • Streamlining money laundering process (uploading cards, processing orders).
  • Maximizing profits (adding more cards, strategic card usage).
  • Justifying activity (showcasing success stories, addressing concerns).
  • Overcoming obstacles (handling frozen accounts, exceeding limits).
  • Handling cryptocurrency transactions (using USDT on Binance P2P).
  • Overall Goal: Induce new recruits and equip them to efficiently launder stolen funds through the XHelper app.
LMS on Xhelper app and tutorials shared by the Agents

Movement of Money From the Mule Account

Financial Transactions and Fund Transfer Process:

  • Incoming Funds to Mule Accounts: Mules receive funds in their linked bank accounts through the payment gateway integrated into the XHelper app.

  • Transfer to Corporate Mule Accounts:  Mules are mandated to transfer the received funds to specific predetermined corporate mule accounts within a stipulated time frame, typically around 10 minutes.These corporate accounts, controlled by the XHelper application providers, have higher transaction limits.
Mules must quickly transfer received funds to specific corporate accounts within about 10 minutes

Mules transferring the incoming payments to xhelper owned accounts

  • Preventing Accumulation in Mule Accounts: The time-sensitive nature of the fund transfer aims to prevent the accumulation of funds in individual mule accounts. This ensures that the application providers are not defrauded by the mules.

Mules getting paid and punished based on how fast the incoming money is transferred to Xhelper owned accumulator accounts 

  • Transfer Mechanism to Application Providers: Funds transferred from mule accounts are directed to dedicated accounts provided by the threat actors or application providers.  These accounts are added as beneficiaries by the mules for performing IMPS transaction, enabling swift and controlled fund transfers.

.

Mules are instructed to add dedicated accounts as beneficiaries for controlled transactions

  • Crypto Conversion and Commission Deduction: The funds transferred out from the mule accounts are sent to threat actors, who subsequently convert this money into cryptocurrencies. After deducting their commission, threat actors remunerate scammers in USDT, a stablecoin pegged to the US Dollar.

  • Mule Commissions in USDT: Mules, as active participants in the illicit financial operations, have the option to receive their commissions in USDT. This adds a layer of anonymity to the transactions, as cryptocurrencies provide a degree of privacy.

Mue agents offering to pay the commissions in USDT and INR

Link to a video from Xhelper app's LMS showing movement of money from the mule account attached here.

Earnings of Money Mules on App

The app employs a hierarchical structure for mules, with new mules initially limited to adding up to 2 banks. mules can increase their limits through leveling up, based on their performance, unlocking additional commissions and benefits



Username

Total Income

shahbaz

12,714,545.27

Register26

12,536,179.90

Ranjan1982

12,199,516.30

Shailendar

10,123,620.57

Rakamsingh

9,461,049.48

zycorp01

8,080,689.07

Narshima

6,378,690.46

koushik8016

6,242,319.87

Arpanadevi

6,049,542.31

RAMKABIR77

5,577,885.92

App Hierarchy for Mules Unlocking More Banks, Commissions, and Benefits with Performance Levels

Daily Earnings of Money Mules on App

.

Mule Agents showing proofs of the amount of money that flows through each agent 

 

Link to a video from Xhelper app's LMS showing how mules can earn money within the app by adding an additional bank account attached here

How Money Mules Open Fake Corporate and Merchant Accounts 

Agents and money mules demonstrate a distinct preference for corporate and merchant bank accounts. This preference is driven by the higher transaction limits associated with corporate accounts. Corporate accounts offer greater flexibility, enabling the processing of larger sums of money. The allure of these accounts lies in their capacity to accommodate substantial transactions, making them particularly attractive for the illicit activities conducted through the money mule network.

The Xhelpers app provides LMS training for money mules on opening corporate/merchant accounts. The process involves:

  1. Obtaining necessary documents:
  • Business name with proprietorship
  • Business location
  • Form C (advising to consult a CA)
  • Verifying the need for a GST certificate with the bank, suggesting consulting a CA if required (takes up to 4 days)
Necessary documents required for opening corporate accounts

  1. Registering KYC Aadhar card and PAN card with suggested small-scale businesses (e.g., XYZ enterprise, XYZ computer services, XYZ shop and stop).
KYC Registration with Small-Scale Businesses is suggested for money mules

  1. Submitting all prepared documents to the bank, with recommended banks provided by Xhelpers.

  Recommended banks suggested by Xhelper app

  1. Instructing money mules to inform bank executives about specific requirements for app access:
  • CMS
  • Bulk payment option
  • VPA
Instructing money mules to inform bank executives about specific requirement while creating corporate bank account

  1. Emphasizing the potential for high daily income by uploading their corporate account information to the app.

Besides the guidance provided by Xhelper training, money mules and agents also purchase accounts with higher limits, equipped with net banking and MQR, through Telegram.

Link to a video from Xhelper app's LMS showing how money mules are taught to open fake corporate and merchant accounts within the app is attached here.

Sensitive source contacted agents selling bank accounts with higher limit 

Why Money Mule Apps Favor Bank-Specific UPI Applications

  • Stealthy Transactions: Bank UPI apps provide scammers with a platform for conducting transactions discreetly, mitigating the risk of immediate detection or suspicion by leveraging the relative lack of visibility associated with bank-specific platforms.

  • Bypassing Third-Party Monitoring: The choice of bank UPI apps allows scammers to circumvent potential monitoring mechanisms associated with popular third-party applications. This avoidance of third-party oversight enhances the scammers' ability to involve money mules in unauthorized transactions without triggering immediate alerts or security measures.

  • Perceived Lower Security Standards: Money mules may perceive bank-specific UPI apps as having lower security standards compared to well-established third-party platforms. Scammers exploit this perception to encourage money mules to adopt bank apps, fostering an environment where fraudulent activities can occur with a diminished risk of detection.

  • Mitigation of Account Blocking Risk: Scammers are cognizant of the potential consequences of account blocking by popular third-party services. Advising the use of bank applications allows them to strategically lower the risk of account suspension, providing a more sustained opportunity for money mules to execute fraudulent transactions before intervention.

Image Showing encouraging money mules to use Bank UPI apps

  • Reduced Suspicions: Money mules and authorities may be more accustomed to transactions through bank apps, potentially leading to reduced suspicions. Scammers may exploit this familiarity to involve money mules in their fraudulent activities with a lower likelihood of raising alarms.

  • Payout Order Verification via Net Banking: Scammers favor bank apps because they utilize net banking to receive automated confirmations upon the completion of payout orders.

Strategies Employed by Money Mules to Bypass Account Freezes

Despite law enforcement efforts and frozen accounts, agents constantly devise methods to circumvent these blockages, enabling money mules to continue their illicit activities. 

Image Showing authoritative notice received by mule

When a mule's UPI is already blocked by PhonePe or Google Pay, they are advised to take specific steps to address the issue:

  • Contact Support Through App: Mules are instructed to contact support through the respective app and create a ticket to unblock the UPI.
  • Provide Business Proof: Once the support executive responds, mules are required to provide business proof, including Udhyam, GST, trade license, and PAN card.
  • Wait for 24 Hours: After submitting the necessary documents, the UPI apps are expected to unblock the UPI within 24 hours.
Mule mules showing how they can Unblock the blocked UPI

However, if the UPI support apps do not respond or the UPI is not unblocked:

  • Visit the Bank: Mules are advised to go to the bank and request unblocking the UPI. Before doing so, scammers are encouraged to check their daily transaction limit to confirm whether the freeze was due to transaction limits.
  • Use Current Accounts: Current accounts are recommended as they are less prone to freezing compared to saving accounts, which have fewer features and a shorter lifespan.

Training for Bank Customer Support Calls:

  • Bank Customer Support Communication: Mules undergo training to communicate effectively with bank customer support in response to suspicious transactions. When called for security reasons, mules provide information such as their real name (answered with the mule account name), purpose of transactions (sending money to a friend), self-execution of the transaction (answered with yes), transaction method (net banking using IMPS mode), and familiarity with the beneficiary.
  • Verification Process: During bank customer support interactions, mules may encounter questions regarding the amount being transferred, date of birth, and mother's name for verification purposes. It is crucial for mules to respond accurately to maintain the appearance of legitimacy in their transactions.

Mule Agents providing training to mules on how to talk with bank employees

Apply for Merchant VPA:

  • Apply for Merchant VPA: If using a current account or applying for one, mules are advised to visit the bank and apply for a Merchant VPA (Virtual Payment Address). This reduces the chance of UPI getting blocked, as transactions are less likely to be flagged as suspicious.
  • Merchant VPA Application Process: Mules need to visit a branch, express the need for a merchant VPA for their business (e.g., CSC Center, Grocery Wholesale, Auto Parts, Cement Workshop), provide business proof, and fill out the application form for the merchant VPA. Upon submitting all necessary details, the bank will issue the merchant VPA.

Link to a video from Xhelper app's LMS showing how money mules are guided to Bypass Account Freezes is attached here.

Dealing with Cyber Complaints:

  • Visit Home Branch or Nearest Branch: Mules are instructed to go to their home branch or the nearest branch where they hold their bank account.
  • Convince Banker: Attempt to persuade the bank personnel to resolve the issue and lift the freeze on the account.
  • Help Find the Complaint Person: Work towards identifying the individual who lodged the complaint against the mule.
  • Contact Complainant and Negotiate: Reach out to the complainant, discussing the issue and attempting to negotiate a resolution. Propose a settlement and express a willingness to rectify any concerns.
  • Provide Complaint Report and Repay: Present a complaint report to the complainant and repay the claimed amount.

 Seek a No Objection Certificate (NOC) after making the repayment.

Screenshots of agents advising  mules to pay money and get NOC from the Victim

  • Always Pay Complainant: Emphasize the importance of settling the payment with the complainant to resolve the issue.
  • Submit NOC to Bank: Take the NOC obtained from the complainant to the bank and submit it for verification.
  • Bank Verification and Unfreezing: The bank conducts a verification process and, upon satisfactory results, unfreezes the account.
  • Addressing Unresolved Issues: If the problem persists, explore the possibility of unresolved disputes or larger legal issues.
  • Understanding Borrowing Situations: Mules are informed that complainants may borrow money from cooperative customers and later file complaints about collection amounts.

This narrative is presented to convince mules that their activities are not illegal.

  • Negotiate Settlement: In situations involving disputes, mules are advised to reach a settlement with the complainant.
  • Avoid Arguments with Authorities: Mules are strictly cautioned against arguing with bankers or law enforcement, especially regarding the complaint.

Screenshots from the tutorials shared by the Mule agents 

  • Hiring an Advocate: If needed, mules are advised to engage legal assistance by hiring an advocate to navigate the legal complexities.
  • Never Argue with Authorities: Mules are firmly reminded never to argue with bankers or law enforcement, particularly when it comes to addressing complaints.

Link to a video from Xhelper app's LMS showing how money mules are taught to deal with cyber complaints is attached here

Impact on Banks

  • Financial Losses: Money mule activities can result in financial losses for banks due to fraudulent transactions and compromised accounts.

  • Operational Strain: Banks face operational challenges in monitoring and preventing money mule activities, requiring additional resources for security measures.

  • Technological Risks: The exploitation of money mule app capabilities poses technological risks, potentially compromising the security of banking systems.

  • Customer Trust: Involvement in money mule activities may lead to a loss of customer trust, affecting the bank's reputation and customer relationships.

  • Legal and Compliance Issues: Banks may face legal consequences and regulatory scrutiny, resulting in potential fines and penalties.

  • Transaction Monitoring Costs: Enhanced transaction monitoring to detect and prevent money mule activities can increase operational costs for banks.

  • Resource Allocation: Dealing with the impact of money mule activities requires banks to allocate resources for investigations, security measures, and compliance efforts.

  • International Compliance Challenges: Money mule transactions involving the international flow of funds create challenges for banks in adhering to cross-border regulatory compliance.

Proactive Measures for Strengthening Bank Controls Against Money Mule Activities

  1. Enhance Merchant Account Opening Procedures:
  1. Implement stricter verification protocols to detect forged documents and prevent fraudulent account creation.
  2. Consider utilizing digital identity verification solutions for a more robust process.

  1. Bolster Netbanking Security Measures:
  1. Implement multi-factor authentication (MFA) as mandatory for all netbanking activities, including payment confirmations.
  2. Monitor and flag suspicious activity involving frequent beneficiary additions or changes.
  3. Educate users on the importance of secure practices and phishing prevention.

  1. Address Victim Information Sharing:
  1. Strengthen data privacy protocols to prevent unauthorized access to victim information.
  2. Implement stricter procedures for responding to requests for victim data, prioritizing victim protection.

  1. Leverage External Data for Risk Assessment:
  1. Explore partnerships with social media platforms or other data providers to gather insights for identifying high-risk users.
  2. Develop risk scoring models that integrate external data sources to improve real-time detection of money mule activity.

  1. Integrate Payment Red Flags in Faster Payments:
  1. Collaborate with payment service providers to implement red flag indicators within Faster Payment messages.
  2. Identify suspicious transactions based on pre-defined red flags, such as unusual recipient names, locations, or high-risk payment patterns.

  1. Explore Payment Delays for High-Risk Users:
  1. Investigate the feasibility of introducing short payment delays for identified high-risk users.
  2. Utilize this "cooling-off" period for further verification and potential intervention before funds are transferred.
  3. Carefully consider the potential impact on legitimate transactions and user experience before implementation.

Appendix

App owners posting daily transactions

SMS forwarder used by Agents to forward incoming SMS from mules 

Mule mules showing off their incomes to attract more mules 

 

Mule application owners keeping track of the Transaction Flow 

Mules using fake sims to register corporate accounts 

Author

Sparsh Kulshrestha

Sparsh is a Cyber Security Analyst at CloudSEK.

Predict Cyber threats against your organization

Related Posts
Blog Image
October 25, 2024

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Starhealth Insurance Debacle: Information warfare using fabricated evidence

On 20 September 2024, CloudSEK’s XVigil discovered threat actor “xenZen” selling 7TB of data from Star Health Insurance, impacting over 31 million customers. While the data is confirmed authentic, claims of insider involvement from the company’s CISO appear fabricated.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Adversary Intelligence

7

min read

Shadow Banking in Your Pocket: Exposing Android App Used by Money Mules

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.

Authors
Sparsh Kulshrestha
Sparsh is a Cyber Security Analyst at CloudSEK.
Co-Authors

What are Money Mules ?

A money mule refers to an individual enlisted to receive and transfer funds acquired through fraudulent activities. This role is pivotal in the execution of various financial crimes, such as cyber fraud or money laundering. Importantly, the involvement of money mules introduces an additional layer of complexity, making it challenging for law enforcement to trace the origins of illicit transactions.

In October 2023, CloudSEK identified a critical loophole within India's banking infrastructure. This loophole was actively exploited by Chinese cybercriminals to orchestrate a large-scale money laundering scheme targeting Indian citizens. The scheme leveraged a network exceeding hundreds of thousands of compromised "money mule" accounts to funnel illicit funds through fraudulent payment channels, ultimately transferring them back to China.

Link to the Report: Chinese Scammers Launder Money via Fraud Payment Gateways: A New Threat to India's Digital Payment Ecosystem

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem. This report focuses on a malicious mobile application (APK) identified as a key tool for onboarding and managing these money mules. Through in-depth analysis, we reveal the functionalities of this APK and the vulnerabilities it exploits, shedding light on the inner workings of this criminal operation.

Image Showing Scam Operations Weaponizing Money Mules

Businesses that Automates Money Laundering

Threat actors have intricately crafted a sophisticated application known as XHelper which functions as a crucial tool for efficiently managing a network of money mules. It serves as the technological backbone for fake payment gateways used in various scams, such as Pig Butchering , Task scams , Loan scams, E-Commerce scams, Illegal gambling apps, etc. The app is distributed through websites posing as legitimate businesses under the guise of "Money Transfer Business."

Image Showing Xhelper dashboard

Image showing how threat actors advertise their business

Funds transferred from mule accounts undergo a complex process, reaching threat actors who convert the funds into cryptocurrencies. After deducting their commission, threat actors pay scammers in USDT. Mules also have the option to receive their commissions in USDT. 

The XHelper app offers various features, including a ranking list for mules to track earnings and compete with others. Additionally, the app incorporates a dedicated support system operating through the binding of Telegram accounts to the APK.

While XHelper serves as a concerning example, it's crucial to recognize this is not an isolated incident. CloudSEK's investigations have revealed a growing ecosystem of similar applications facilitating money laundering across various scams.

Other apps like Xhelper dashboard and being advertised in underground channels

Other apps like Xhelper dashboard and being advertised in underground channels

Other apps like Xhelper 

Exclusive Working of XHelper APK

The XHelper app functions as a central hub for malicious money mules, streamlining the execution of illegal financial transactions. Designed for user-friendly operation, the platform simplifies both payout and collection processes, making it an attractive tool for individuals seeking illegitimate profit.

 

Working of Xhelper App

Collection Orders (Passive Role):

  • Collection orders within XHelper involve the acquisition of funds or assets, often through fraudulent activities orchestrated by external actors.
  • Importantly, money mules do not directly participate in collection activities. Instead, they passively receive incoming funds from scammers utilizing the XHelper platform.

Payout Orders (Active Role):

  • Payout orders within XHelper demand the active participation of money mules. These orders mandate the swift transfer of funds to pre-designated accounts within strict timeframes.
  • Essentially, these outgoing transactions from mule accounts to the app operators mark the final stage of the illicit financial cycle facilitated by XHelper.

Onboarding and Initial Setup

  • Money mules begin by entering their net banking and UPI information within the app. This grants the app access to transfer funds directly into their UPI account.
Initial steps for Money mules for onboarding on the app

Adding a banking details are essential for money mules to gain access to the app

Key Operational Instructions for Money Mules during Onboarding 

Pattern of UPI address:

  • The individuals acting as money mules are asked to register UPI in a specific format. The format includes the username of the mule on the app. This is because the app is using these UPI addresses in a programmatic way to assign orders.
Money mules are asked to register UPI in a specific format

Net Banking Credentials

  • The app in the backend uses net banking to confirm the success of the payout order. Hence it is advised to money mules to ensure that the credentials they are sharing for net banking are correct.
Money mules advised to ensure correct net banking credentials

  • The individuals acting as money mules are asked to not change the password associated with the net banking.
Image showing how Money Mules are Advised Against Password Change

Link to a video from Xhelper app's LMS, providing Key Operational Instructions for Money Mules during onboarding attached here.

Order Processing Workflow for Money Mules on App

Initiation:vcv

  • Money mules activate order intake within the XHelper app, enabling them to receive and fulfill money laundering tasks.
  • The system automatically assigns orders, potentially based on pre-determined criteria or mule profiles.
Image showing the activate and process order functions in the mule app

Order Processing:

  • Upon receiving a payment order notification, mules review the details (likely containing source, destination, and amount information).
  • Following strict adherence guidelines to minimize detection, money mules execute the illicit fund transfer using their linked bank app.
Image Showing how order money mules use bank app to to minimize detection

Verification and Reward:

  • After completing the transfer, mules capture and upload screenshots as proof of execution, indicating success or error.
  • The XHelper system or designated team automatically verifies the screenshots, streamlining the order validation process.
  • Successful order completion translates to financial rewards within the app, incentivizing continued participation.

         

Image Showing how money mules are rewarded after every successful order completion

Link to a video from Xhelper app's LMS on Order Processing Workflow for Money Mules on App attached here.

Key Operational Instructions for Money Mules while Processing Orders

Transfer of OTP ( One time password):

  • The individuals acting as money mules are presented with two alternatives for submitting a One Time Password (OTP), known as "OTP work" and "No OTP work."
  • In OTP work, the money mule can either manually send the SMS to the Mule to finalize the transaction, or the Mule agent offers an application that automatically forwards SMS for all outgoing transactions.
  • On the other hand, in No OTP work, the money mules alter the mobile number linked to the Mule account to match the agent’s mobile number.

Order Completion Timeframe:

  • Time-Sensitive Rewards: Money mules are incentivized to complete payout orders within a strictly enforced 10-minute window. Faster processing translates to higher commissions and rewards, promoting rapid and potentially reckless transaction behavior.

Bank Account Selection:

  • Matched Bank Application: To avoid raising red flags and incurring potential penalties, mules are instructed to strictly use the bank app corresponding to the assigned order. This implies the app might track or verify linked accounts.
Image Showing how money mules are instructed to strictly use the bank app

Payment Method Prioritization:

  • IMPS/UPI Preference: Based on the order type, the XHelper app prioritizes specific payment methods, likely IMPS or UPI. This suggests potential order variations and targeted use of specific financial channels to obscure transactions.

              

Image Showing encouraging money mules to add beneficiaries

Recruitment of Money Mules

Money mules, recruited by individuals called "Agents," operate within a network established through multiple Telegram channels. Agents pose as thriving businesses seeking efficient fund management due to a high transaction volume. The recruitment often occurs through personal connections, with recruiters or agents persuading individuals in their social circles. Crucially, these so-called mules show a distinct preference for corporate bank accounts, which typically have higher transaction limits. This strategic choice allows the illicit network to move large sums of money more efficiently, maximizing the potential gains from their criminal activities.

The xhelper app incorporates an invitation feature:

Referral System: Agents can invite others to join as agents.

Bonuses and Rewards: Referring agents earn bonuses for each successful recruitment.

This referral system follows a pyramid-like structure, fueling mass recruitment of both agents and money mules, amplifying the reach of illicit activities. Agents, in turn, recruit more mules and invite additional agents, perpetuating the growth of this interconnected network.

Inviting process and managing money mule agents by the top level Mule agents 

Image Showing how Mule Agents  recruit Money Mules on Telegram 

Link to a video from Xhelper app's LMS showing money mules referral system attached here.  

 

Training of Money Mules

Learning Management System (LMS) for the XHelper APK, an app used by cybercriminals to onboard money mules provides a concerning glimpse into their recruitment and training tactics.

  • Target Audience: Money mules recruited to launder stolen funds using their bank accounts.
  • App Functionality: XHelper app facilitates uploading bank and UPI details, processing orders (likely money laundering transactions), and withdrawing "earnings."
  • Content Focus:
  • Streamlining money laundering process (uploading cards, processing orders).
  • Maximizing profits (adding more cards, strategic card usage).
  • Justifying activity (showcasing success stories, addressing concerns).
  • Overcoming obstacles (handling frozen accounts, exceeding limits).
  • Handling cryptocurrency transactions (using USDT on Binance P2P).
  • Overall Goal: Induce new recruits and equip them to efficiently launder stolen funds through the XHelper app.
LMS on Xhelper app and tutorials shared by the Agents

Movement of Money From the Mule Account

Financial Transactions and Fund Transfer Process:

  • Incoming Funds to Mule Accounts: Mules receive funds in their linked bank accounts through the payment gateway integrated into the XHelper app.

  • Transfer to Corporate Mule Accounts:  Mules are mandated to transfer the received funds to specific predetermined corporate mule accounts within a stipulated time frame, typically around 10 minutes.These corporate accounts, controlled by the XHelper application providers, have higher transaction limits.
Mules must quickly transfer received funds to specific corporate accounts within about 10 minutes

Mules transferring the incoming payments to xhelper owned accounts

  • Preventing Accumulation in Mule Accounts: The time-sensitive nature of the fund transfer aims to prevent the accumulation of funds in individual mule accounts. This ensures that the application providers are not defrauded by the mules.

Mules getting paid and punished based on how fast the incoming money is transferred to Xhelper owned accumulator accounts 

  • Transfer Mechanism to Application Providers: Funds transferred from mule accounts are directed to dedicated accounts provided by the threat actors or application providers.  These accounts are added as beneficiaries by the mules for performing IMPS transaction, enabling swift and controlled fund transfers.

.

Mules are instructed to add dedicated accounts as beneficiaries for controlled transactions

  • Crypto Conversion and Commission Deduction: The funds transferred out from the mule accounts are sent to threat actors, who subsequently convert this money into cryptocurrencies. After deducting their commission, threat actors remunerate scammers in USDT, a stablecoin pegged to the US Dollar.

  • Mule Commissions in USDT: Mules, as active participants in the illicit financial operations, have the option to receive their commissions in USDT. This adds a layer of anonymity to the transactions, as cryptocurrencies provide a degree of privacy.

Mue agents offering to pay the commissions in USDT and INR

Link to a video from Xhelper app's LMS showing movement of money from the mule account attached here.

Earnings of Money Mules on App

The app employs a hierarchical structure for mules, with new mules initially limited to adding up to 2 banks. mules can increase their limits through leveling up, based on their performance, unlocking additional commissions and benefits



Username

Total Income

shahbaz

12,714,545.27

Register26

12,536,179.90

Ranjan1982

12,199,516.30

Shailendar

10,123,620.57

Rakamsingh

9,461,049.48

zycorp01

8,080,689.07

Narshima

6,378,690.46

koushik8016

6,242,319.87

Arpanadevi

6,049,542.31

RAMKABIR77

5,577,885.92

App Hierarchy for Mules Unlocking More Banks, Commissions, and Benefits with Performance Levels

Daily Earnings of Money Mules on App

.

Mule Agents showing proofs of the amount of money that flows through each agent 

 

Link to a video from Xhelper app's LMS showing how mules can earn money within the app by adding an additional bank account attached here

How Money Mules Open Fake Corporate and Merchant Accounts 

Agents and money mules demonstrate a distinct preference for corporate and merchant bank accounts. This preference is driven by the higher transaction limits associated with corporate accounts. Corporate accounts offer greater flexibility, enabling the processing of larger sums of money. The allure of these accounts lies in their capacity to accommodate substantial transactions, making them particularly attractive for the illicit activities conducted through the money mule network.

The Xhelpers app provides LMS training for money mules on opening corporate/merchant accounts. The process involves:

  1. Obtaining necessary documents:
  • Business name with proprietorship
  • Business location
  • Form C (advising to consult a CA)
  • Verifying the need for a GST certificate with the bank, suggesting consulting a CA if required (takes up to 4 days)
Necessary documents required for opening corporate accounts

  1. Registering KYC Aadhar card and PAN card with suggested small-scale businesses (e.g., XYZ enterprise, XYZ computer services, XYZ shop and stop).
KYC Registration with Small-Scale Businesses is suggested for money mules

  1. Submitting all prepared documents to the bank, with recommended banks provided by Xhelpers.

  Recommended banks suggested by Xhelper app

  1. Instructing money mules to inform bank executives about specific requirements for app access:
  • CMS
  • Bulk payment option
  • VPA
Instructing money mules to inform bank executives about specific requirement while creating corporate bank account

  1. Emphasizing the potential for high daily income by uploading their corporate account information to the app.

Besides the guidance provided by Xhelper training, money mules and agents also purchase accounts with higher limits, equipped with net banking and MQR, through Telegram.

Link to a video from Xhelper app's LMS showing how money mules are taught to open fake corporate and merchant accounts within the app is attached here.

Sensitive source contacted agents selling bank accounts with higher limit 

Why Money Mule Apps Favor Bank-Specific UPI Applications

  • Stealthy Transactions: Bank UPI apps provide scammers with a platform for conducting transactions discreetly, mitigating the risk of immediate detection or suspicion by leveraging the relative lack of visibility associated with bank-specific platforms.

  • Bypassing Third-Party Monitoring: The choice of bank UPI apps allows scammers to circumvent potential monitoring mechanisms associated with popular third-party applications. This avoidance of third-party oversight enhances the scammers' ability to involve money mules in unauthorized transactions without triggering immediate alerts or security measures.

  • Perceived Lower Security Standards: Money mules may perceive bank-specific UPI apps as having lower security standards compared to well-established third-party platforms. Scammers exploit this perception to encourage money mules to adopt bank apps, fostering an environment where fraudulent activities can occur with a diminished risk of detection.

  • Mitigation of Account Blocking Risk: Scammers are cognizant of the potential consequences of account blocking by popular third-party services. Advising the use of bank applications allows them to strategically lower the risk of account suspension, providing a more sustained opportunity for money mules to execute fraudulent transactions before intervention.

Image Showing encouraging money mules to use Bank UPI apps

  • Reduced Suspicions: Money mules and authorities may be more accustomed to transactions through bank apps, potentially leading to reduced suspicions. Scammers may exploit this familiarity to involve money mules in their fraudulent activities with a lower likelihood of raising alarms.

  • Payout Order Verification via Net Banking: Scammers favor bank apps because they utilize net banking to receive automated confirmations upon the completion of payout orders.

Strategies Employed by Money Mules to Bypass Account Freezes

Despite law enforcement efforts and frozen accounts, agents constantly devise methods to circumvent these blockages, enabling money mules to continue their illicit activities. 

Image Showing authoritative notice received by mule

When a mule's UPI is already blocked by PhonePe or Google Pay, they are advised to take specific steps to address the issue:

  • Contact Support Through App: Mules are instructed to contact support through the respective app and create a ticket to unblock the UPI.
  • Provide Business Proof: Once the support executive responds, mules are required to provide business proof, including Udhyam, GST, trade license, and PAN card.
  • Wait for 24 Hours: After submitting the necessary documents, the UPI apps are expected to unblock the UPI within 24 hours.
Mule mules showing how they can Unblock the blocked UPI

However, if the UPI support apps do not respond or the UPI is not unblocked:

  • Visit the Bank: Mules are advised to go to the bank and request unblocking the UPI. Before doing so, scammers are encouraged to check their daily transaction limit to confirm whether the freeze was due to transaction limits.
  • Use Current Accounts: Current accounts are recommended as they are less prone to freezing compared to saving accounts, which have fewer features and a shorter lifespan.

Training for Bank Customer Support Calls:

  • Bank Customer Support Communication: Mules undergo training to communicate effectively with bank customer support in response to suspicious transactions. When called for security reasons, mules provide information such as their real name (answered with the mule account name), purpose of transactions (sending money to a friend), self-execution of the transaction (answered with yes), transaction method (net banking using IMPS mode), and familiarity with the beneficiary.
  • Verification Process: During bank customer support interactions, mules may encounter questions regarding the amount being transferred, date of birth, and mother's name for verification purposes. It is crucial for mules to respond accurately to maintain the appearance of legitimacy in their transactions.

Mule Agents providing training to mules on how to talk with bank employees

Apply for Merchant VPA:

  • Apply for Merchant VPA: If using a current account or applying for one, mules are advised to visit the bank and apply for a Merchant VPA (Virtual Payment Address). This reduces the chance of UPI getting blocked, as transactions are less likely to be flagged as suspicious.
  • Merchant VPA Application Process: Mules need to visit a branch, express the need for a merchant VPA for their business (e.g., CSC Center, Grocery Wholesale, Auto Parts, Cement Workshop), provide business proof, and fill out the application form for the merchant VPA. Upon submitting all necessary details, the bank will issue the merchant VPA.

Link to a video from Xhelper app's LMS showing how money mules are guided to Bypass Account Freezes is attached here.

Dealing with Cyber Complaints:

  • Visit Home Branch or Nearest Branch: Mules are instructed to go to their home branch or the nearest branch where they hold their bank account.
  • Convince Banker: Attempt to persuade the bank personnel to resolve the issue and lift the freeze on the account.
  • Help Find the Complaint Person: Work towards identifying the individual who lodged the complaint against the mule.
  • Contact Complainant and Negotiate: Reach out to the complainant, discussing the issue and attempting to negotiate a resolution. Propose a settlement and express a willingness to rectify any concerns.
  • Provide Complaint Report and Repay: Present a complaint report to the complainant and repay the claimed amount.

 Seek a No Objection Certificate (NOC) after making the repayment.

Screenshots of agents advising  mules to pay money and get NOC from the Victim

  • Always Pay Complainant: Emphasize the importance of settling the payment with the complainant to resolve the issue.
  • Submit NOC to Bank: Take the NOC obtained from the complainant to the bank and submit it for verification.
  • Bank Verification and Unfreezing: The bank conducts a verification process and, upon satisfactory results, unfreezes the account.
  • Addressing Unresolved Issues: If the problem persists, explore the possibility of unresolved disputes or larger legal issues.
  • Understanding Borrowing Situations: Mules are informed that complainants may borrow money from cooperative customers and later file complaints about collection amounts.

This narrative is presented to convince mules that their activities are not illegal.

  • Negotiate Settlement: In situations involving disputes, mules are advised to reach a settlement with the complainant.
  • Avoid Arguments with Authorities: Mules are strictly cautioned against arguing with bankers or law enforcement, especially regarding the complaint.

Screenshots from the tutorials shared by the Mule agents 

  • Hiring an Advocate: If needed, mules are advised to engage legal assistance by hiring an advocate to navigate the legal complexities.
  • Never Argue with Authorities: Mules are firmly reminded never to argue with bankers or law enforcement, particularly when it comes to addressing complaints.

Link to a video from Xhelper app's LMS showing how money mules are taught to deal with cyber complaints is attached here

Impact on Banks

  • Financial Losses: Money mule activities can result in financial losses for banks due to fraudulent transactions and compromised accounts.

  • Operational Strain: Banks face operational challenges in monitoring and preventing money mule activities, requiring additional resources for security measures.

  • Technological Risks: The exploitation of money mule app capabilities poses technological risks, potentially compromising the security of banking systems.

  • Customer Trust: Involvement in money mule activities may lead to a loss of customer trust, affecting the bank's reputation and customer relationships.

  • Legal and Compliance Issues: Banks may face legal consequences and regulatory scrutiny, resulting in potential fines and penalties.

  • Transaction Monitoring Costs: Enhanced transaction monitoring to detect and prevent money mule activities can increase operational costs for banks.

  • Resource Allocation: Dealing with the impact of money mule activities requires banks to allocate resources for investigations, security measures, and compliance efforts.

  • International Compliance Challenges: Money mule transactions involving the international flow of funds create challenges for banks in adhering to cross-border regulatory compliance.

Proactive Measures for Strengthening Bank Controls Against Money Mule Activities

  1. Enhance Merchant Account Opening Procedures:
  1. Implement stricter verification protocols to detect forged documents and prevent fraudulent account creation.
  2. Consider utilizing digital identity verification solutions for a more robust process.

  1. Bolster Netbanking Security Measures:
  1. Implement multi-factor authentication (MFA) as mandatory for all netbanking activities, including payment confirmations.
  2. Monitor and flag suspicious activity involving frequent beneficiary additions or changes.
  3. Educate users on the importance of secure practices and phishing prevention.

  1. Address Victim Information Sharing:
  1. Strengthen data privacy protocols to prevent unauthorized access to victim information.
  2. Implement stricter procedures for responding to requests for victim data, prioritizing victim protection.

  1. Leverage External Data for Risk Assessment:
  1. Explore partnerships with social media platforms or other data providers to gather insights for identifying high-risk users.
  2. Develop risk scoring models that integrate external data sources to improve real-time detection of money mule activity.

  1. Integrate Payment Red Flags in Faster Payments:
  1. Collaborate with payment service providers to implement red flag indicators within Faster Payment messages.
  2. Identify suspicious transactions based on pre-defined red flags, such as unusual recipient names, locations, or high-risk payment patterns.

  1. Explore Payment Delays for High-Risk Users:
  1. Investigate the feasibility of introducing short payment delays for identified high-risk users.
  2. Utilize this "cooling-off" period for further verification and potential intervention before funds are transferred.
  3. Carefully consider the potential impact on legitimate transactions and user experience before implementation.

Appendix

App owners posting daily transactions

SMS forwarder used by Agents to forward incoming SMS from mules 

Mule mules showing off their incomes to attract more mules 

 

Mule application owners keeping track of the Transaction Flow 

Mules using fake sims to register corporate accounts