‘Polymorphic malware,’ new headache for Karnataka cyber police; victims lost Rs 2,900 crore in 2024

BENGALURU: While Karnataka ramped up its fight against cybercrime by appointing 16 cyber technicians, fraudsters have found new ways to stay ahead. Cybercriminals are now using ‘polymorphic malware,’ a virus that constantly alters its code to evade detection. This evolving threat has made it even harder for investigators to crack cybercrime cases, with only 1,248 of the 20,092 cases detected in 2024, a year when victims lost nearly Rs 2,900 crore to cybercrimes.

Unlike traditional malware, polymorphic malware, which police officials call as a ‘digital chameleon’ keeps changing its form while spreading, making it difficult for antivirus programs to detect because every time it infects a new device, it looks different from before.

Traditional security systems rely on recognizing fixed patterns, but polymorphic malware hides its identity by modifying its code, encrypting itself, or scrambling its structure.

To keep up with cybercrime, Karnataka, the first state to establish a cybercrime police station, is now planning to upgrade its Forensic Science Laboratory (FSL) with the latest tools.

Since 2019, the state has trained 176 judicial officers and 984 police personnel, while 3,799 other officials have undergone online training. Despite these efforts, the biggest challenge in detecting cybercrime lies in the ‘outdated cybersecurity’ tools.

Currently, the state relies on “signature-based cybersecurity systems,” which function like a police database that can only identify known criminals. These systems detect threats by comparing files against a stored list of virus “signatures”— unique patterns of previously identified malware. 

‘Same methods can’t be always applied’

Only if a match is found, the system blocks the threat. However, cybercriminals now use updated malwares like polymorphic malware.

A senior Cybercrime, Economic offences, and Narcotics (CEN) official told The New Indian Express that many assume that if the police can solve one cybercrime case, they can easily solve the others as long as they are reported on time.

However, each case is a challenge, and the same methods cannot always be applied.

“Most of the cases detected so far have been due to human errors made by the criminals themselves. Some fraudsters reuse email addresses or IP addresses, leaving digital footprints that allow police to track them. However, generally cybercriminals constantly change these details,” the officer said.

Why polymorphic malware is a challenge?

Explaining the Polymorphic Malware, the official said fraudsters disguise this malware as normally as they do with any other virus — via legitimate file, after which it enters a system through phishing emails, fake software downloads, or malicious website links, tricking users into clicking on it. Once the malware is executed, it immediately starts changing its code, ensuring that antivirus programs fail to recognize it. Unlike regular viruses, which have a fixed structure, polymorphic malware rewrites itself each time it spreads.

Once inside, the malware first encrypts itself, scrambling its code into an unreadable format so that security software cannot identify it, sometimes even injecting extra, meaningless lines of code just to appear different, further confusing detection systems.

The malware then activates keylogging tools, which silently record everything the user types, including passwords, credit card details, and banking credentials.

In some cases, it redirects users to fake banking websites, where victims unknowingly enter their login details, handing them over to hackers. Once the criminals obtain this information, they can transfer funds, make unauthorized purchases, or even lock users out of their accounts.

In addition to financial theft, polymorphic malware often spreads within a network, infecting multiple devices. Every time it moves to a new system, it alters its structure again, ensuring that even if one version is detected, the next version remains undetected. Some variants also operate as ‘fileless malware,’ running entirely in the computer’s memory instead of being stored on the hard drive, making removal even more difficult, the officer said.

By the time security tools realise what has happened, the malware erases its tracks or self-destructs, leaving no trace behind.