Authored by ZePeng Chen
Not too long ago, we recognized an lively Android phishing marketing campaign concentrating on Indian customers. The attackers impersonate a authorities electrical energy subsidy service to lure victims into putting in a malicious app. Along with stealing monetary info, the malicious app additionally steals textual content messages, makes use of the contaminated gadget to ship smishing messages to consumer’s contact record, may be remotely managed utilizing Firebase and phishing web site and malware was hosted in GitHub. This assault chain leverages YouTube movies, a pretend government-like web site, and a GitHub-hosted APK file—forming a well-orchestrated social engineering operation. The marketing campaign includes pretend subsidy guarantees, consumer information theft, and remote-control functionalities, posing a considerable menace to consumer privateness and monetary safety.
McAfee, as a part of the App Protection Alliance dedicated to defending customers and the app ecosystem, reported the recognized malicious apps to Google. Because of this, Google blocked the related FCM account to forestall additional abuse. McAfee additionally reported the GitHub-hosted repository to GitHub Developer Assist Workforce, which took motion and already eliminated it from GitHub. McAfee Cell Safety detects these malicious purposes as a high-risk menace. For extra info, and to get totally protected, go to McAfee Cell Safety.
Background
The Authorities of India has accredited the PM Surya Ghar: Muft Bijli Yojana on twenty ninth February, 2024 to extend the share of photo voltaic rooftop capability and empower residential households to generate their very own electrical energy. The scheme supplies for a subsidy of 60% of the photo voltaic unit price for techniques as much as 2kW capability and 40 p.c of extra system price for techniques between 2 to 3kW capability. The subsidy has been capped at 3kW capability. The shopper has to register on the Nationwide Portal. This must be carried out by deciding on the state and the electrical energy distribution firm. Scammers use this subsidy exercise to create phishing web sites and pretend purposes, stealing the checking account info of customers who need to apply for this subsidy.
Technical Findings
Distribution Strategies
This phishing operation unfolds in a number of levels:
- YouTube Video Lure: The attackers add promotional movies claiming customers can obtain “authorities electrical energy subsidies” via a cell app. A shortened URL is included within the video description to encourage customers to click on.
Determine 1. YouTube video selling the phishing URL
2. Phishing Web site Imitation: The shortened URL redirects to a phishing web site hosted on GitHub. it designed to carefully resemble an official Indian authorities portal.
Determine 2. Phishing and official web site
The phishing web site has a pretend registration course of instruction, as soon as the customers consider this introduction, they won’t have any doubts concerning the following processes. The phishing web site additionally has a pretend Google Play icon, making customers consider it’s a Google Play app, however in actuality, the icon factors to an APK file on GitHub. When victims click on the Google Play icon, it’s going to obtain the APK from GitHub repository as a substitute of accessing Google Play App Retailer.
3. GitHub-Hosted APK and Phishing web page
Each the phishing web site supply and the APK file are hosted on the identical GitHub repository—prone to bypass safety detection and seem extra respectable. The repository exercise reveals that this malicious app has been constantly developed since October 2024, with frequent updates noticed in latest weeks.
Determine 3. Malware repository in GitHub
Set up with out community
The downloaded APK is just not the principle malicious part. As an alternative, it comprises an embedded APK file at property/app.apk, which is the precise malware. The preliminary APK serves solely to put in the embedded one. Throughout set up, customers are deceived into believing they’re putting in a “safety replace” and are prompted to disable cell information or Wi-Fi, prone to scale back the effectiveness of malware detection options that use detection applied sciences within the cloud. However McAfee continues to be in a position to detect this menace in offline mode
Determine 4. Set up a malicious APK and not using a community
In keeping with the set up directions, a malicious utility can be put in. There are 2 purposes which might be put in on gadgets.
- PMBY – The preliminary APK, it’s used to put in PMMBY.
- PMMBY – Malware APK, it’s put in underneath the guise of “Safe Replace“
Determine 5. Software names and icons.
Malware evaluation
PMMBY is an utility that truly carries out malicious conduct—let’s delve into the concrete particulars of the way it accomplishes this.
It requests aggressive permission when it’s launched.
- READ_CONTACTS – Learn contacts record
- CALL_PHONE – Make/handle cellphone calls
- READ_SMS, SEND_SMS – View and ship SMS messages
- Notification entry – For spamming or masking malicious actions
Determine 6. Aggressive permissions request
Pretend UI and Registration Course of
As soon as permissions are granted, the app shows a pretend electrical energy supplier choice display screen. The message “To Get 300 Unit Free Each Month Please Choose Your Electrical energy Supplier From Under And Proceed” is proven in English and Hindi to immediate customers to pick out their supplier.
Determine 7. “SELECT YOUR PROVIDER” Exercise
After deciding on a supplier, the app presents a pretend registration kind asking for the consumer’s cellphone quantity and a ₹1 cost to “generate a registration token.”
Determine 8. Registration Type
On this stage, malware creates a background process to ship a https request to https[://]rebrand[.]ly/dclinkto2. The response textual content is https[://]sqcepo[.]replit[.]app/gate[.]html,https[://]sqcepo[.]replit[.]app/addsm[.]php. The string is break up as 2 URLs.
- UPI PIN URL – https[://]sqcepo[.]replit[.]app/gate[.]html. It will likely be utilized in “ENTER UPI PIN” course of. When malware makes use of this URL, “gate.html” can be exchange with“gate.hml”, so the loaded URL is https[://]sqcepo[.]replit[.]app/gate[.]htm.
- SMS Uploaded URL – https[://]sqcepo[.]replit[.]app/addsm[.]php. SMS incoming messages are uploaded to this URL.
Determine 9. dclinkto2 request
Within the stage of ”MAKE PAYMENT of ₹ 1“,victims are requested to make use of “UPI-Lite” app to finish the cost. Within the “UPI-Lite” exercise, victims enter the financial institution UPI PIN code.
Determine 10. The method of “ENTER UPI PIN”
UPI Credential Theft
UPI-Lite exercise is a pretend HTML-based kind from https[://]sqcepo[.]replit[.]app/gate[.]htm.
As soon as submitted, the cellphone quantity, financial institution particulars, and UPI PIN are uploaded to https[://]sqcepo[.]replit[.]app/addup.php. After the attacker obtains this info, they will steal cash out of your checking account.
Determine 11. Submit consumer’s banker info.
Malware Background Behaviors
Along with stealing the monetary and banking info from the consumer, the malware can also be in a position to ship distribution itself by sending a phishing message to the sufferer’s contact record, stealing consumer’s textual content messages most likely to intercept 2FA codes and may be remotely managed through Firebase.
- Ship mass phishing SMS messages to Indian customers from the victims’ contacts record.
Determine 12. Ship Phishing SMS message.
- Add SMS message to Server.
Malware has requested view SMS permission when it’s launched. When it receives the incoming SMS message, it handles the message and posts beneath information to distant server(https[://]sqcepo[.]replit[.]app/addsm[.]php).
- senderNum: The cellphone variety of ship the incoming message.
- Message: The incoming SMS message.
- Slot: Which SIM Slot to obtain the message
- Gadget rand: A random quantity was created in the course of the first run to determine the gadget.
Determine 13. Submit Incoming SMS message
- Firebase as a Command Channel.
Attackers use FCM(Firebase Cloud Messaging) to ship instructions to manage gadgets. In keeping with the _type worth, malware executes completely different instructions.
Table1. Instructions from FCM message
Determine 14. Instructions from FCM message
Suggestions
To guard towards such subtle assaults, customers and defenders ought to take the next precautions:
- Keep away from downloading apps from unofficial web sites:
Particularly these providing advantages like subsidies, rewards, or monetary assist. - Be cautious of apps that require disabling community connections:
That is usually a purple flag used to evade real-time antivirus scanning. - Fastidiously evaluation app permissions:
Apps requesting contact entry, SMS learn/ship or name permissions—with out clear cause—must be handled as suspicious. - Use safety software program with SMS safety:
Allow permission alerts and use respected cell safety apps to detect irregular app conduct. McAfee’s Rip-off Detector as an extra safety for the smishing half.
Cybercriminals are utilizing related themes like vitality subsidies to trick customers into offering monetary info. This marketing campaign demonstrates an built-in and stealthy assault chain. YouTube is used to distribute phishing hyperlink, GitHub is a dependable and legit web site to utilizing it to each distribute malicious APKs and serve phishing web sites make it tougher to determine and take it down, and malware authors can remotely replace the phishing textual content messages to be more practical in tricking customers into putting in the malware through Firebase Cloud Messaging (FCM). With its self-propagation capabilities, monetary information theft, and remote-control capabilities, it poses a critical danger. We’ll proceed to watch this menace, observe rising variants, and coordinate with related platforms to report and assist take down related infrastructure.
Indicators of Compromise (IOCs)
