DEV Community: Nabil Thange

CyberShield: How We Built an AI-Powered Banking Malware Intelligence Platform for India's Public Sector Banks

Nabil Thange — Sun, 07 Jun 2026 07:19:41 +0000

My journey through the HackHazards 2026.

The Problem Nobody Was Solving Fast Enough

Every day, thousands of Indians receive a WhatsApp message with a link. "Update your SBI KYC." "Claim your bank reward points." "Your account will be suspended."

Some click. An APK downloads. And somewhere in a server farm, a criminal now has access to their OTP, their banking credentials, their life savings.

This is not hypothetical. Drinik, a banking trojan that specifically targeted 18 Indian financial institutions including the State Bank of India, infected victims by masquerading as the Income Tax Department's official app. It used Android's Accessibility Services to invisibly log keystrokes, suppress OTP notifications, and drain accounts — all while the victim saw nothing unusual on their screen.

When a bank's fraud team discovers a new suspicious APK circulating on WhatsApp, what happens? They hand it to a cybersecurity expert. That expert spends one to three days manually decompiling the code, reading through obfuscated Java, tracing network calls, and writing a report. By the time the report lands on a SOC analyst's desk, hundreds of customers may already be compromised.

That three-day gap is exactly what we built CyberShield to close.

What We're Actually Building (And What We're Not)

Before going further, let's be honest about scope — because hackathon projects often promise the moon.

CyberShield is not a consumer antivirus. It is not competing with Google Play Protect or Bitdefender. We are not trying to scan every app on every phone in India.

What CyberShield is: an AI-powered malware intelligence platform built specifically for the Security Operations Centers of Indian public sector banks. The primary user is a fraud analyst or SOC analyst at a bank who needs to answer one urgent question — "Is this APK that's circulating among our customers dangerous, and what should we do right now?" — in minutes, not days.

The Architecture: Eight Tools, One Brain

The core insight of our system is that no single analysis tool is sufficient. Modern banking trojans are designed to fool individual scanners. They pack their payload, obfuscate their strings, and use legitimate-looking permissions. The only way to reliably catch them is to triangulate across multiple independent analysis dimensions and look for the patterns that only emerge when you see all the evidence together.

Our backend pipeline chains eight specialized tools:

MobSF is our primary orchestrator. It performs static analysis on the APK — extracting permissions, API calls, certificate information, and network security configurations. A legitimate SBI app uses a verifiable Extended Validation certificate. A fake one uses a self-signed cert. MobSF catches that immediately.

JADX decompiles the DEX bytecode back into readable Java source code. This is where we look for things like DexClassLoader (the app is secretly loading a second malicious app), @JavascriptInterface (a WebView is being used to render a fake phishing login page), or USSD strings like *21*# (the app is programmatically forwarding your phone calls to the attacker, so they intercept your voice OTP).

Quark Engine is our behavioral analysis layer. Rather than just looking at what permissions are declared, Quark traces API call sequences and verifies — with mathematical certainty at Stage 5 confidence — whether READ_SMS and an HTTP upload function are operating on the exact same variable. If they are, that's not coincidence. That's OTP theft.

APKiD fingerprints the binary itself. It tells us whether the APK was compiled normally or if it was decompiled, injected with malicious code, and repacked. The presence of dexlib 2.x in the compiler field is a red flag: it means a legitimate banking app was trojanized and redistributed.

APKLeaks hunts for secrets baked into the code — Telegram Bot tokens (increasingly used by malware to exfiltrate stolen OTPs in real time), Firebase database URLs, hardcoded API keys, and IP addresses pointing to command-and-control servers.

Androguard goes deeper into the DEX structure, building cross-reference graphs. It can verify whether a declared BIND_ACCESSIBILITY_SERVICE actually connects through the code to functions that read screen content — the difference between an accessibility app for disabled users and a banking trojan.

Custom Strings Analyzer and Custom Manifest Analyzer are our regional intelligence layers. Standard tools don't flag Hindi-language strings like "Aadhaar link karein" or "PAN card update." We do. These are the social engineering hooks that trick Indian users into granting permissions. The manifest analyzer also detects apps that deliberately hide themselves from the launcher (no LAUNCHER category) to achieve silent, persistent operation.

All eight tool outputs feed into our Correlation Engine — a deterministic rule system that evaluates 17 cross-tool patterns. No single signal fires an alert alone. We require convergent evidence. Rule 3, for example, fires only when: the manifest requests SYSTEM_ALERT_WINDOW and APKLeaks finds a Telegram Bot token and Quark confirms SMS capture at Stage 5 confidence. That specific combination means one thing: a Telegram-backed overlay trojan stealing OTPs. Zero ambiguity.

The AI Layer: Making It Readable for a Fraud Analyst

Raw JSON from eight security tools is not useful to a bank fraud analyst. They're not malware researchers. They're financial professionals who need to make fast decisions.

This is where Generative AI becomes genuinely transformative in our stack — not as a gimmick, but as a translation layer.

After the deterministic engine computes its confidence score and fires its rules, we pass a structured summary to an LLM with a carefully designed system prompt:

"You are a senior malware analyst embedded in a bank's Security Operations Center. Your audience is a fraud analyst at an Indian public sector bank. Always contextualize findings in terms of risk to banking customers — OTP interception, credential theft, unauthorized transfers. End every explanation with a 'Recommended Action' line that tells the bank what to do right now, concretely and specifically."

The output is a human-readable Threat Brief that explains, in plain language: what this APK does, what banking customers are at risk, how it evades detection, and what the bank should do immediately — block specific IP ranges, force password resets for customers who may have installed it, alert the I4C (Indian Cyber Crime Coordination Centre), or push a fraud alert to affected account holders.

The AI doesn't replace the deterministic engine. It annotates it. The engine catches the threat; the AI explains it to the person who needs to act on it.

The Bank Dashboard: What Judges Will Actually See

The main product interface is a SOC dashboard designed for a bank's security team. It shows:

A live feed of analyzed APKs with risk scores (0–100) and threat classifications
AI-generated threat briefs in plain English for every scan
MITRE ATT&CK technique mappings for each detected behavior
Extracted indicators of compromise — suspicious domains, IP addresses, Telegram bot IDs, Firebase URLs
Campaign clustering (when multiple APKs share infrastructure, they're likely from the same threat actor)
Actionable recommendations specific to the bank's context

The upload flow is simple: drag an APK, watch nine analysis stages complete in real time, get a full intelligence report. What used to take a skilled analyst three days now takes the platform three to seven minutes.

The Malware Intake Layer: How APKs Get In

A bank's SOC doesn't proactively hunt for malware APKs. They learn about them when customers call in complaints, when fraud alerts fire, or when their threat intelligence feeds pick something up.

We designed CyberShield with multiple intake vectors. The primary one is direct upload through the dashboard. The secondary — and strategically important — one is a WhatsApp-based submission channel. A bank can publicize a number that customers and employees forward suspicious APKs or links to. The bot automatically routes received files into the analysis pipeline, creating a crowdsourced threat intelligence feed that grows more powerful as more people use it.

This turns the bank's customer base into an early warning network. When a new fake "SBI KYC Update" APK starts circulating, the first customers who receive it and get suspicious can forward it. The bank's SOC gets an alert within minutes rather than days.

Technical Stack

Backend: Python/FastAPI, running the full eight-tool analysis pipeline. Analysis is scheduled asynchronously via FastAPI's BackgroundTasks, so uploads return immediately and processing continues in the background.

Analysis Tools: MobSF (local instance), JADX, Quark Engine, APKiD, APKLeaks, Androguard, custom string/manifest analyzers — all orchestrated through subprocess calls and Python bindings.

Intelligence Engine: Custom Python correlation engine with 17 deterministic rules, a ConfidenceCalculator with weighted scoring, and an AttackChainBuilder that maps findings to the MITRE ATT&CK for Mobile framework.

AI Layer: Claude API / Groq endpoint for threat brief generation and interactive SOC analyst explanations, with section-specific prompting for permissions, network indicators, behavioral rules, and MITRE mappings.

Code Intelligence (GitNexus): A TypeScript RAG system using tree-sitter-java to parse decompiled code, embed it with snowflake-arctic-embed-xs via ONNX Runtime, and serve semantic + keyword hybrid search (BM25 + vector, merged via Reciprocal Rank Fusion) for deep code investigation.

Frontend: Next.js 16, React 19, Tailwind CSS. Four main views: Dashboard, Upload, Live Progress tracking, and Detailed Report.

Report Storage: JSON files on filesystem (filesystem-native for hackathon scale; PostgreSQL migration path planned).

Challenges We Actually Faced

The obfuscation problem. Modern banking trojans are specifically engineered to defeat static analysis. APKiD might tell us a file is packed with a commercial packer — but JADX then can't decompile the inner payload. Our correlation engine accounts for this: a packing detection alone raises suspicion, and we route heavily obfuscated APKs with a higher base risk score. Full dynamic sandbox analysis is on the roadmap.

False positives in APKLeaks. APKLeaks uses broad regex patterns and generates enormous amounts of noise — legitimate analytics domains, UUIDs, library constants. We had to build a filtering layer that cross-references extracted indicators against known-good lists and only surfaces the ones that appear alongside other corroborating signals.

The "one tool isn't enough" problem. Early in development we were tempted to just wrap MobSF with a GPT call and call it done. That would have been useless in production. A sophisticated banking trojan scores fine on MobSF in isolation. It's only when you combine APKiD's "this was repackaged" signal with Androguard's "the certificate CN claims to be SBI but is self-signed" signal with JADX's "this code implements a TextWatcher listening for SBI's package name" signal that the full picture of a targeted trojan emerges. Building the correlation engine to express these relationships correctly was the hardest and most important part of this project.

Making it legible to non-security people. The prompting work to get the AI to write threat briefs that are genuinely useful to a fraud analyst — not full of jargon, grounded in specific banking operations context, ending with concrete action — took significant iteration. The system prompt anchoring the AI as a "senior malware analyst embedded in a bank's SOC" turned out to be crucial. Without that framing, explanations were generic. With it, they were operationally specific.

Why This Matters for India Specifically

India's banking sector faces a uniquely intense mobile malware threat. The combination of rapid smartphone adoption, UPI-based payment infrastructure, widespread use of SMS OTPs as the primary 2FA mechanism, and a large population that may be less familiar with mobile security hygiene creates an exceptionally high-value target for threat actors.

The Drinik trojan specifically targeted 18 Indian banks. Fake apps impersonating SBI, ICICI, and other institutions circulate constantly on WhatsApp and Telegram. The government's own CERT-In has issued repeated advisories about banking trojans targeting Indian users.

Public sector banks — exactly the institutions this hackathon is designed to support — often have fewer dedicated cybersecurity resources than private sector peers. A tool that can dramatically reduce the analyst time required per APK investigation, while also being operable by fraud team members who aren't malware experts, has direct impact on their capacity to protect customers.

CyberShield is built specifically for this context. The regional signals (Hindi-language phishing strings, USSD call-forwarding codes, Aadhaar/PAN lures, fake government app impersonation), the SOC-analyst-friendly output, the WhatsApp intake channel — all of it is designed for the specific reality of banking security operations in India in 2026.

What's Next

The deterministic correlation engine we've built covers the known taxonomy of banking trojans well. The honest frontier is dynamic analysis — actually running suspicious APKs in an instrumented Android sandbox and watching what they do at runtime. Static analysis, however sophisticated, has inherent limits against packed and obfuscated malware. Dynamic analysis breaks through those limits. That's the next major engineering investment.

We're also working on malware family clustering — using the IOCs and behavioral signatures extracted from each analysis to group related APKs, map campaigns, and build threat actor profiles. When five different fake banking apps all phone home to the same Firebase instance, that's a campaign. Banks should know about campaigns, not just individual files.

The vision is a shared threat intelligence network across public sector banks — where an APK submitted to one bank's CyberShield instance enriches the threat intelligence available to all participating banks. Malware campaigns don't respect organizational boundaries. Threat intelligence shouldn't either.

Closing Thought

The gap between when a banking malware campaign begins and when a bank can act against it is measured in human suffering — customers who lose savings, elderly people who can't recover money drained by invisible trojans, small business owners whose accounts are emptied.

We built CyberShield because that gap is not technically inevitable. It exists because the right tools hadn't been assembled in the right way for the people who need them. The technology to close it — static analysis, behavioral correlation, generative AI explanation — all existed. We just had to put it together correctly and aim it at the right problem.

That's what this hackathon is for.

I built an AI tutor with persistent memory in 6 hours — here's how

Nabil Thange — Fri, 20 Mar 2026 15:20:19 +0000

I built an AI tutor with persistent memory in 6 hours — here's how

Every study app I've used has the same problem.

Open it on Monday. It helps you. Close it.

Open it on Thursday. It has no idea who you are.

Same generic suggestions. Same random quiz topics. No memory of the fact that you failed recursion questions three times this week.

So for this hackathon — theme: AI Agents That Learn Using Hindsight — we built Sage. An AI tutor that actually remembers you.

What Sage does

You upload your syllabus PDF. Sage reads it, extracts every subject and chapter, and asks you what you already know. Then it generates a personalised study plan built around your actual weak areas — not a template.

Every time you:

Take a quiz and get something wrong
Ask the AI to re-explain a concept
Tell the planner you have an exam coming up
Finish a Pomodoro session

...Sage writes that to memory. Forever.

Come back three days later? The AI opens with:

"Welcome back. Last session you struggled with VSWR. Your IOT exam is in 4 days. Want to pick up from there?"

That's not a chat history trick. That's a persistent memory system.

The tech that makes it possible — Hindsight

The memory layer is powered by Hindsight by Vectorize.

Hindsight isn't just a key-value store. When you call retain(), it uses an LLM internally to extract facts, entities, and temporal data — then classifies them into 4 memory types:

World — objective facts ("IOT exam is March 28")
Experiences — what actually happened ("scored 4/10 on quiz, failed VSWR")
Observations — patterns it auto-synthesises ("user consistently fails application questions")
Opinions — beliefs with confidence scores ("needs more practice: 0.91 confidence")

And reflect() reasons across all of these to generate insights like:

"Strong in theory. Consistently weak in numerical and application problems."

This is what makes Sage feel like a real tutor — not just a chatbot.

Architecture

User → Next.js frontend
         ↓
/api/planner/chat   → recall() from Hindsight → Groq with memory context
/api/mentor/chat    → recall() + syllabus text → Groq → personalised teaching
/api/memory/retain  → Hindsight retain() on every meaningful interaction
/api/memory/reflect → Hindsight reflect() for insights + Memory Panel

Stack:

Next.js 14 (App Router)
Groq — qwen3-32b, fast and free tier
Hindsight Cloud — persistent per-user memory banks
shadcn/ui + Tailwind — dark-themed component library
pdf-parse — server-side syllabus extraction

The Memory Panel — making invisible AI visible

The coolest thing we built wasn't the chat. It was the 🧠 Memory Panel.

One click and you see everything the AI knows about you — grouped by type, with confidence scores on opinions, and a live reflect() summary at the top:

🌍 World
   BTech CSE Sem 3. IOT exam March 28.

🎯 Experiences
   Scored 4/10 on IOT quiz. Failed: VSWR, antenna gain.

🔍 Observations (auto-synthesised)
   Fails application questions consistently across 3 sessions.

💭 Opinions
   Needs IOT application practice — 0.91 confidence

This screen alone makes it obvious that the AI is actually learning — not just replying to prompts.

What we learned

1. Hindsight's reflect() is the killer feature. It's not retrieval — it's synthesis. The AI forming its own opinions about a student's learning patterns is something no RAG pipeline gives you.

2. Build memory-first, UI second. We wired Hindsight in the first hour. Every feature we built after that automatically had memory context. If you add memory last, you have to retrofit everything.

3. The "return visit" moment is your demo. Log out, log back in, watch the AI greet you with context from days ago. That's the moment that makes people go "wait, this is actually different."

What's next for Sage

NotebookLM MCP integration for Studio outputs (audio overview, infographic, slide deck)
Real Supabase persistence for test history and proficiency tracking
Smarter pre-test adaptive questioning

Built in 6 hours at a hackathon. Theme: AI Agents That Learn Using Hindsight.

If you're building anything with persistent AI memory — check out Hindsight. It's genuinely different from standard RAG.

Code dropping soon. Follow for updates.

🚀 Building Vyx: An AI Content Engine with the Kiro IDE

Nabil Thange — Fri, 05 Dec 2025 12:00:24 +0000

🚀 Building Vyx: An AI Content Engine with the Kiro IDE

By Nabil Salim Thange | Portfolio: http://nabil-thange.vercel.app/

The content creation world is drowning in manual labor. We realized that even with dozens of AI tools, creators were spending 15-20 hours a week just repurposing a single YouTube video for different platforms.

That’s why we built Vyx, an AI engine that converts any video URL into a complete, platform-optimized content package (blogs, social posts, viral clips) in under 10 minutes.

This project was complex, requiring the orchestration of multiple asynchronous microservices (Next.js, Groq, N8N, FFmpeg). But thanks to the Kiro IDE, we handled this complexity and drastically reduced our development time.

What is Vyx? The Solution to the Content Bottleneck

Vyx is a dual-pipeline system designed for creators and marketers:

Content Repurposing Pipeline (Pipeline A): Takes the YouTube transcript and runs it through a 5-step AI pipeline (Llama 3.3 70B) to generate a complete suite of content:
- Optimized blog posts (800-1200 words).
- Platform-specific social posts (LinkedIn, X, Instagram) with custom aspect ratio images.
- Content is scored for Virality and Usefulness.
Viral Clip Generation Pipeline (Pipeline B): Uses FFmpeg and yt-dlp to download the video, identifies the top 3-5 viral moments using AI, crops them to the 9:16 vertical format, and burns in subtitles.

The challenge wasn't just the AI; it was managing the infrastructure for instant content, complex processing, and multi-service orchestration.

🛠️ How Kiro Revolutionized Our Development Workflow

Developing Vyx on the Kiro IDE was essential for two primary reasons: enforcing structure and enabling complex multimedia processing.

1. Spec-Driven Development Eliminated Vibe Coding

The project’s architecture, managing multiple asynchronous service integrations (Next.js for the frontend/API, N8N for orchestration, Groq for AI logic, Pollinations.ai for instant images), was intricate.

Instead of getting lost in "vibe coding," Kiro allowed us to immediately transition from our Implementation Plan and PRD into concrete, working code.

Clarity from the Start: By defining the input and output for each module in the spec, Kiro was able to build a reliable N8N workflow structure for the backend microservices, which drastically reduced integration bugs.
Focus on Logic: Kiro handled all the boilerplate for the Next.js/Tailwind setup, allowing us to spend 95% of our time focusing on optimizing the 5-step AI pipeline and refining the viral detection logic.

2. The MCP Unlocked Multimedia Capabilities

The most critical feature—the Viral Clip Generation Pipeline (B)—relied heavily on non-standard binary tools: yt-dlp for downloading and FFmpeg for video manipulation.

This is where the Master Control Program (MCP) feature of Kiro was a game-changer:

Native Tool Integration: We extended Kiro’s capabilities to understand and orchestrate yt-dlp and FFmpeg commands.
Complex Workflow Solved: Kiro was able to stitch together a workflow that downloaded the video, identified timestamps via the AI, and then reliably executed the necessary FFmpeg commands to crop the video to 9:16 and burn in subtitles with precise timing.

Without the MCP, building a reliable, automated video processing pipeline would have been nearly impossible or prohibitively time-consuming.

Conclusion

Vyx is proof that AI orchestration, powered by the right development environment, can solve real, multi-dimensional business problems. The structural enforcement of Spec-Driven Development and the power of the MCP allowed us to build a complete, production-ready AI content engine in record time.

Kiro didn't just write code; it structured a complex technical project, enabling us (Nabil Salim Thange and team) to successfully launch a full-stack solution.

If you’re building a complex project with multiple integrations, I highly recommend exploring how Kiro IDE can streamline your workflow.

DEV Community: Nabil Thange

CyberShield: How We Built an AI-Powered Banking Malware Intelligence Platform for India's Public Sector Banks

The Problem Nobody Was Solving Fast Enough

What We're Actually Building (And What We're Not)

The Architecture: Eight Tools, One Brain

The AI Layer: Making It Readable for a Fraud Analyst

The Bank Dashboard: What Judges Will Actually See

The Malware Intake Layer: How APKs Get In

Technical Stack

Challenges We Actually Faced

Why This Matters for India Specifically

What's Next

Closing Thought

I built an AI tutor with persistent memory in 6 hours — here's how

I built an AI tutor with persistent memory in 6 hours — here's how

What Sage does

The tech that makes it possible — Hindsight

Architecture

The Memory Panel — making invisible AI visible

What we learned

What's next for Sage

🚀 Building Vyx: An AI Content Engine with the Kiro IDE

🚀 Building Vyx: An AI Content Engine with the Kiro IDE

What is Vyx? The Solution to the Content Bottleneck

🛠️ How Kiro Revolutionized Our Development Workflow

1. Spec-Driven Development Eliminated Vibe Coding

2. The MCP Unlocked Multimedia Capabilities

Conclusion

kiro