Authored by ZePeng Chen
Lately, we recognized an lively Android phishing marketing campaign focusing on Indian customers. The attackers impersonate a authorities electrical energy subsidy service to lure victims into putting in a malicious app. Along with stealing monetary data, the malicious app additionally steals textual content messages, makes use of the contaminated system to ship smishing messages to consumer’s contact checklist, will be remotely managed utilizing Firebase and phishing web site and malware was hosted in GitHub. This assault chain leverages YouTube movies, a pretend government-like web site, and a GitHub-hosted APK file—forming a well-orchestrated social engineering operation. The marketing campaign includes pretend subsidy guarantees, consumer information theft, and remote-control functionalities, posing a considerable risk to consumer privateness and monetary safety.
McAfee, as a part of the App Protection Alliance dedicated to defending customers and the app ecosystem, reported the recognized malicious apps to Google. Consequently, Google blocked the related FCM account to stop additional abuse. McAfee additionally reported the GitHub-hosted repository to GitHub Developer Help Staff, which took motion and already eliminated it from GitHub. McAfee Cell Safety detects these malicious purposes as a high-risk risk. For extra data, and to get absolutely protected, go to McAfee Cell Safety.
Background
The Authorities of India has authorised the PM Surya Ghar: Muft Bijli Yojana on twenty ninth February, 2024 to extend the share of photo voltaic rooftop capability and empower residential households to generate their very own electrical energy. The scheme gives for a subsidy of 60% of the photo voltaic unit value for methods as much as 2kW capability and 40 p.c of extra system value for methods between 2 to 3kW capability. The subsidy has been capped at 3kW capability. The shopper has to register on the Nationwide Portal. This must be accomplished by deciding on the state and the electrical energy distribution firm. Scammers use this subsidy exercise to create phishing web sites and pretend purposes, stealing the checking account data of customers who wish to apply for this subsidy.
Technical Findings
Distribution Strategies
This phishing operation unfolds in a number of levels:
- YouTube Video Lure: The attackers add promotional movies claiming customers can obtain “authorities electrical energy subsidies” by way of a cell app. A shortened URL is included within the video description to encourage customers to click on.
Determine 1. YouTube video selling the phishing URL
2. Phishing Web site Imitation: The shortened URL redirects to a phishing web site hosted on GitHub. it designed to intently resemble an official Indian authorities portal.
Determine 2. Phishing and official web site
The phishing website has a pretend registration course of instruction, as soon as the customers imagine this introduction, they won’t have any doubts concerning the following processes. The phishing website additionally has a pretend Google Play icon, making customers imagine it’s a Google Play app, however in actuality, the icon factors to an APK file on GitHub. When victims click on the Google Play icon, it’ll obtain the APK from GitHub repository as an alternative of accessing Google Play App Retailer.
3. GitHub-Hosted APK and Phishing web page
Each the phishing website supply and the APK file are hosted on the identical GitHub repository—more likely to bypass safety detection and seem extra official. The repository exercise reveals that this malicious app has been constantly developed since October 2024, with frequent updates noticed in current weeks.
Determine 3. Malware repository in GitHub
Set up with out community
The downloaded APK isn’t the principle malicious element. As an alternative, it accommodates an embedded APK file at property/app.apk, which is the precise malware. The preliminary APK serves solely to put in the embedded one. Throughout set up, customers are deceived into believing they’re putting in a “safety replace” and are prompted to disable cell information or Wi-Fi, more likely to cut back the effectiveness of malware detection options that use detection applied sciences within the cloud. However McAfee continues to be capable of detect this risk in offline mode
Determine 4. Set up a malicious APK with out a community
In line with the set up directions, a malicious utility will probably be put in. There are 2 purposes which are put in on gadgets.
- PMBY – The preliminary APK, it’s used to put in PMMBY.
- PMMBY – Malware APK, it’s put in beneath the guise of “Safe Replace“
Determine 5. Software names and icons.
Malware evaluation
PMMBY is an utility that truly carries out malicious conduct—let’s delve into the concrete particulars of the way it accomplishes this.
It requests aggressive permission when it’s launched.
- READ_CONTACTS – Learn contacts checklist
- CALL_PHONE – Make/handle telephone calls
- READ_SMS, SEND_SMS – View and ship SMS messages
- Notification entry – For spamming or masking malicious actions
Determine 6. Aggressive permissions request
Pretend UI and Registration Course of
As soon as permissions are granted, the app shows a pretend electrical energy supplier choice display screen. The message “To Get 300 Unit Free Each Month Please Choose Your Electrical energy Supplier From Under And Proceed” is proven in English and Hindi to immediate customers to pick their supplier.
Determine 7. “SELECT YOUR PROVIDER” Exercise
After deciding on a supplier, the app presents a pretend registration kind asking for the consumer’s telephone quantity and a ₹1 fee to “generate a registration token.”
Determine 8. Registration Type
On this stage, malware creates a background activity to ship a https request to https[://]rebrand[.]ly/dclinkto2. The response textual content is https[://]sqcepo[.]replit[.]app/gate[.]html,https[://]sqcepo[.]replit[.]app/addsm[.]php. The string is cut up as 2 URLs.
- UPI PIN URL – https[://]sqcepo[.]replit[.]app/gate[.]html. It is going to be utilized in “ENTER UPI PIN” course of. When malware makes use of this URL, “gate.html” will probably be change with“gate.hml”, so the loaded URL is https[://]sqcepo[.]replit[.]app/gate[.]htm.
- SMS Uploaded URL – https[://]sqcepo[.]replit[.]app/addsm[.]php. SMS incoming messages are uploaded to this URL.
Determine 9. dclinkto2 request
Within the stage of ”MAKE PAYMENT of ₹ 1“,victims are requested to make use of “UPI-Lite” app to finish the fee. Within the “UPI-Lite” exercise, victims enter the financial institution UPI PIN code.
Determine 10. The method of “ENTER UPI PIN”
UPI Credential Theft
UPI-Lite exercise is a pretend HTML-based kind from https[://]sqcepo[.]replit[.]app/gate[.]htm.
As soon as submitted, the telephone quantity, financial institution particulars, and UPI PIN are uploaded to https[://]sqcepo[.]replit[.]app/addup.php. After the attacker obtains this data, they’ll steal cash out of your checking account.
Determine 11. Publish consumer’s banker data.
Malware Background Behaviors
Along with stealing the monetary and banking data from the consumer, the malware can be capable of ship distribution itself by sending a phishing message to the sufferer’s contact checklist, stealing consumer’s textual content messages in all probability to intercept 2FA codes and will be remotely managed through Firebase.
- Ship mass phishing SMS messages to Indian customers from the victims’ contacts checklist.
Determine 12. Ship Phishing SMS message.
- Add SMS message to Server.
Malware has requested view SMS permission when it’s launched. When it receives the incoming SMS message, it handles the message and posts under information to distant server(https[://]sqcepo[.]replit[.]app/addsm[.]php).
- senderNum: The telephone variety of ship the incoming message.
- Message: The incoming SMS message.
- Slot: Which SIM Slot to obtain the message
- Gadget rand: A random quantity was created through the first run to establish the system.
Determine 13. Publish Incoming SMS message
- Firebase as a Command Channel.
Attackers use FCM(Firebase Cloud Messaging) to ship instructions to manage gadgets. In line with the _type worth, malware executes completely different instructions.
Table1. Instructions from FCM message
Determine 14. Instructions from FCM message
Suggestions
To guard towards such refined assaults, customers and defenders ought to take the next precautions:
- Keep away from downloading apps from unofficial web sites:
Particularly these providing advantages like subsidies, rewards, or monetary support. - Be cautious of apps that require disabling community connections:
That is usually a crimson flag used to evade real-time antivirus scanning. - Rigorously evaluate app permissions:
Apps requesting contact entry, SMS learn/ship or name permissions—with out clear motive—must be handled as suspicious. - Use safety software program with SMS safety:
Allow permission alerts and use respected cell safety apps to detect irregular app conduct. McAfee’s Rip-off Detector as a further safety for the smishing half.
Cybercriminals are utilizing related themes like vitality subsidies to trick customers into offering monetary data. This marketing campaign demonstrates an built-in and stealthy assault chain. YouTube is used to distribute phishing hyperlink, GitHub is a dependable and legit web site to utilizing it to each distribute malicious APKs and serve phishing web sites make it harder to establish and take it down, and malware authors can remotely replace the phishing textual content messages to be more practical in tricking customers into putting in the malware through Firebase Cloud Messaging (FCM). With its self-propagation capabilities, monetary information theft, and remote-control features, it poses a severe danger. We are going to proceed to watch this risk, monitor rising variants, and coordinate with related platforms to report and assist take down related infrastructure.
Indicators of Compromise (IOCs)
