Android Users at Risk as Malware Poses as mParivahan and e-Challan Apps

[Brownie2019]

Content source

https://gbhackers.com/android-users-2/

A sophisticated Android malware campaign dubbed NexusRoute is actively targeting Indian users by impersonating the Indian Government Ministry, mParivahan, and e-Challan services to steal credentials and carry out large-scale financial fraud.

The operation combines phishing, malware, and surveillance capabilities. It is being distributed via malicious APKs hosted on GitHub and clusters of phishing domains that run fake challan and ₹1 verification workflows.

The campaign is financially motivated and professionally engineered, using a multi-stage, native-backed Android Remote Access Trojan (RAT) that abuses advanced obfuscation, dynamic code loading, and persistent background execution to evade detection and maintain long-term control over infected devices.

Stolen data includes UPI PINs, OTPs, card information, banking credentials, call logs, SMS, contacts, device details, and GPS location, which are funneled to a centralized command-and-control (C2) infrastructure for real-time fraud and surveillance.

Full Story:

Android Users at Risk as Malware Poses as mParivahan and e-Challan Apps

A sophisticated Android malware campaign dubbed NexusRoute is actively targeting Indian users by impersonating the Indian Government Ministry, mParivahan.

gbhackers.com

 

[Bot]

Full Story:

Android Users at Risk as Malware Poses as mParivahan and e-Challan Apps

A sophisticated Android malware campaign dubbed NexusRoute is actively targeting Indian users by impersonating the Indian Government Ministry, mParivahan.

gbhackers.com

Nasty campaign – thanks for sharing

Based on the description you quoted, this NexusRoute campaign is very serious, especially for users in India who regularly use:

• mParivahan
• e-Challan / traffic fine portals
• UPI and mobile banking

The dangerous part is that it mixes realistic government/banking phishing with a powerful Android RAT that can stay on the phone, watch everything, and steal data in real time.

Key takeaways from the description

• Malware is spread via malicious APKs on GitHub and fake challan / ₹1 verification sites.
• It pretends to be official Indian government services (Ministry, mParivahan, e-Challan).
• It’s a multi-stage Android RAT with:
  • Advanced obfuscation & dynamic code loading
  • Persistent background execution
• Data targeted includes:
  • UPI PINs, OTPs, card and banking credentials
  • SMS, call logs, contacts
  • Device info and GPS
• Data is sent to a central C2 to perform fraud quickly once they have enough info.

How to avoid this (practical steps)

• Do not install APKs from links/QR codes in:
  • WhatsApp / SMS / Telegram
  • Random websites claiming “e-challan pending”, “₹1 verification”, or “KYC update required”
  Only install apps from Google Play Store or directly from the official government/bank website you typed yourself.
• Verify the app publisher in Play Store
  Make sure it is the official developer (for example, for Indian government apps it should clearly match the official gov publisher, not some random company or misspelled name).
• Check the URL carefully before entering any credentials
  Fake sites often use domains like:
  • g0v, govn, mparivahan-[something].com
  • challan-[random].net, etc.
  Official Indian government portals will be on .gov.in domains.
• Be suspicious of ₹1 “verification” or “test” flows
  RBI, banks, and government portals do not need ₹1 test payments via random links to “verify” your account.
• Disable “Install unknown apps”
  Keep installation from unknown sources turned off in Android settings unless you absolutely know what you’re doing (and turn it off again afterwards).

If you already installed a suspicious mParivahan / e-Challan / gov APK

If you recently installed such an app from outside the Play Store or from a link in SMS/WhatsApp:

• Disconnect from the internet (mobile data + Wi-Fi) as soon as possible.
• Uninstall the suspicious app
  If it resists removal or reinstalls itself, you may be dealing with something more persistent.
• Scan your device with a reputable mobile security app (e.g. Bitdefender, Kaspersky, ESET, Norton, etc.).
  This won’t guarantee detection of a very new RAT, but it’s a useful step.
• Immediately secure your finances:
  • Call your bank(s) and UPI provider(s); tell them your device might be compromised.
  • Change UPI PIN, netbanking passwords, and email passwords from a clean device (not the suspected phone).
  • Enable/verify SMS/email alerts for all transactions.
  • Review recent transactions and raise disputes for anything suspicious.
• Consider a full device reset
  For serious Android infections, the safest option is often:
  • Back up only essential data (photos, docs) – not apps/APKs.
  • Factory reset the phone.
  • Reinstall apps only from the Play Store.

Good next steps for forum members

• If you’ve seen any of these phishing domains or APKs, sharing redacted examples (without live clickable malicious links) can help others recognize them.
• If you think you are infected and need one-on-one help, it’s best to open a thread in the Malware Removal Assistance or Security Configuration section with details about:
  • How you got the APK (link, SMS, QR, etc.)
  • What permissions you granted
  • Any suspicious behavior (unknown SMS, UPI requests, etc.)

In summary: this looks like a highly targeted, professional fraud campaign. The most important protection is never installing “government” or “banking” apps from links, and treating any “₹1 verification” or e-challan link in SMS/WhatsApp as suspicious until proven otherwise.

 

[Divergent]

The reports confirm an active, sophisticated Android malware campaign named `NexusRoute` that impersonates the Indian Government Ministry, specifically the `mParivahan` and `e-Challan` services. This campaign is a multi-stage operation combining phishing, surveillance, and financial fraud to harvest sensitive data including `UPI PINs`, `OTPs`, and banking credentials.

Analysis of the `NexusRoute` threat indicates an industrialized operation with the following characteristics.

Distribution Strategy

Malicious `APKs` are hosted on GitHub, supported by automated phishing domain generation (e.g., `rtochallan[digits].store`, `.shop`, `.online`). Phishing lures often involve a bogus `₹1` "ownership verification" payment to trick users into entering financial data.

Technical Execution

The malware uses a native-backed Android Remote Access Trojan (`RAT`) that employs advanced obfuscation and dynamic code loading via native `.so` libraries and `JNI` to evade traditional detection.

Persistence Mechanisms

Once installed, it abuses Android's `Accessibility Services` and declare high-risk permissions such as `REQUEST_INSTALL_PACKAGES` and `SYSTEM_ALERT_WINDOW`. It ensures continuous execution through `BroadcastReceivers`, foreground services, and battery optimization exemptions.

Capabilities

The `RAT` provides operators with full surveillance control, including `SMS` interception, keylogging, screen capture, remote camera/microphone access, and real-time `GPS` tracking.

Attribution Indicators

Technical artifacts link the exfiltration routines to the address `gymkhana.studio@gmail.com`, which is associated with "Gymkhana Studio," a branding involved in more extensive Android obfuscation and spyware tooling.

Immediate Action Recommendations

1. Identity Verification.

Only install the official `mParivahan` app from the Google Play Store. Never download transport or government-related `APKs` from GitHub or third-party links received via `SMS`.

2. Permission Audit.

If you suspect an infection, check `Settings > Apps > Special app access > All files access` and `Settings > Accessibility` for any app named "NexGen mParivahan" or other suspicious entries.

3. Financial Security.

If you have interacted with a fake `e-Challan` site, immediately change your `UPI PIN` and monitor your bank statements for unauthorized `₹1` or larger debits.

4. Network Isolation.

If high-risk permissions were granted to a suspicious app, back up essential data and perform a factory reset of the device to ensure the native-level payloads are removed.

The scale and engineering of `NexusRoute` represent a significant national-scale threat to Indian financial infrastructure and digital trust. Management of this risk requires ongoing coordination between law enforcement and financial platform providers.