A newly identified Android phishing campaign is aggressively targeting Indian users by masquerading as the legitimate PM Surya Ghar: Muft Bijli Yojana, a government initiative approved in February 2024 that offers subsidies for solar rooftop installations, covering up to 60% of costs for systems under 2kW and 40% for those up to 3kW.
Attackers leverage this popular scheme to deceive victims into installing malware, promising free electricity units through a fabricated mobile application.
Distribution Chain Exploits Social Engineering
The attack begins with YouTube videos promoting the subsidy, embedding shortened URLs in descriptions that redirect to a phishing website hosted on GitHub, meticulously designed to mimic the official portal at pmsuryaghar.gov.in.
This fake site features misleading registration instructions and a deceptive Google Play icon, which, when clicked, downloads an APK file from the same GitHub repository rather than the authentic app store.
The repository, active since October 2024 with frequent updates, hosts both the phishing page source and the malware, exploiting GitHub’s legitimacy to evade initial detection.
Upon download, the initial APK named PMBY embeds a secondary malicious APK at assets/app.apk, dubbed PMMBY, which is installed under the guise of a “Secure Update.”
To further hinder cloud-based antivirus scans, the installation process prompts users to disable mobile data or Wi-Fi, though advanced solutions like McAfee Mobile Security can still detect the threat offline.
Once installed, PMMBY requests invasive permissions including READ_CONTACTS for accessing contact lists, CALL_PHONE for call management, READ_SMS and SEND_SMS for message interception and transmission, and notification access for potential spamming or obfuscation.
Remote Command Execution
Upon launch, the malware presents a fake user interface prompting victims to select their electricity provider from a list, displayed in both English and Hindi with enticing messages about receiving 300 free units monthly.
This leads to a phony registration form requiring a phone number and a nominal ₹1 payment via a simulated “UPI-Lite” process, where users input sensitive banking details and UPI PIN.
In the background, the app fetches dynamic URLs via an HTTPS request to rebrand.ly/dclinkto2, retrieving endpoints like sqcepo.replit.app/gate.htm for loading a fake HTML form and sqcepo.replit.app/addsm.php for uploading intercepted SMS.
The UPI credentials are exfiltrated to sqcepo.replit.app/addup.php, enabling attackers to drain victims’ bank accounts.
Beyond financial theft, PMMBY engages in self-propagation by harvesting contacts and sending mass smishing messages promoting the scam, while also monitoring incoming SMS uploading sender numbers, message content, SIM slot details, and a unique device identifier to the remote server, likely to capture two-factor authentication codes.
Remote control is facilitated through Firebase Cloud Messaging (FCM), where commands are issued based on a “_type” value to execute actions such as updating configurations or triggering further malicious behaviors.
This multifaceted threat not only compromises user privacy and financial security but also turns infected devices into vectors for broader dissemination.
According to the report, McAfee, under the App Defense Alliance, reported the apps to Google, resulting in the blocking of the associated FCM account, and notified GitHub, leading to the repository’s removal.
Users are advised to enable McAfee Mobile Security for high-risk threat detection and to verify subsidies only through official channels to avoid such orchestrated social engineering attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
