A sophisticated Android malware campaign named NexusRoute is actively targeting Indian citizens by impersonating government services.
The operation uses fake versions of the official mParivahan and e-Challan applications to harvest login credentials and financial information from unsuspecting users.
This coordinated attack combines phishing websites, fraudulent payment interfaces, and advanced malware to execute a multi-stage theft operation that compromises personal and banking data at a national scale.
The campaign operates through a well-planned distribution network hosted on GitHub, where hundreds of fake application repositories serve malicious Android packages to potential victims.
Threat actors create convincing copies of government portals and use phishing domains that mimic legitimate services.
.webp "New Android Malware Mimic as mParivahan and e-Challan Attacking Android Users to Steal Login Credentials 2")
Once users install the fake application, they become targets for SMS interception, financial credential theft, and unauthorized financial transactions.
The malware also performs extensive device surveillance, capturing location data, personal contacts, and sensitive call logs without user awareness.
Cyfirma analysts identified the malware after observing its connection to a broader commercial Android obfuscation and surveillance ecosystem.
.webp "New Android Malware Mimic as mParivahan and e-Challan Attacking Android Users to Steal Login Credentials 4")
The research team traced the operation to a professionally maintained infrastructure rather than simple opportunistic scamming.
Evidence links the malware to developer communities specializing in Android protection tools and app modification techniques, confirming this as a large-scale fraud and surveillance operation backed by technical expertise and commercial tooling.
The attack begins when victims encounter fake mParivahan download pages hosted on GitHub Pages platforms.
These phishing sites display convincing government branding and logos, instructing users to enable installation from unknown sources on their Android devices.
The initial payload operates as a dropper, requesting permissions that legitimate government apps would never ask.
These permissions include SMS reading, accessibility services, overlay window creation, and complete file access—capabilities that, once granted, enable complete device control.
Understanding the Infection Mechanism and Persistence Strategy
The malware employs a sophisticated multi-stage loading system designed to bypass detection systems and complicate reverse engineering.
Upon installation, the dropper application immediately loads a native library called npdcc via Java Native Interface.
This approach moves critical malicious logic into compiled code, making static analysis significantly more difficult for security researchers.
The malware uses DexClassLoader to dynamically load additional Android packages stored externally on the device, enabling attackers to deploy updated payloads without requiring user installation steps.
Persistence is the campaign’s strongest technical aspect, as the malware employs multiple Android-specific methods to maintain persistent execution on infected devices.
It abuses BroadcastReceiver functionality to activate at system startup automatically, creates foreground services disguised as legitimate backup or security tools, and exploits OEM-specific auto-start mechanisms on Xiaomi and OPPO devices.
The malware displays fake security notifications that mimic Google Play updates, tricking users into approving permissions they would typically deny.
.webp "New Android Malware Mimic as mParivahan and e-Challan Attacking Android Users to Steal Login Credentials 5")
Once accessibility service privileges are granted, the malware automatically approves all remaining runtime permissions, including camera, microphone, and file access, without any further user interaction.
The application then presents a false security alert claiming an unsupported application was detected, directing users through a fake uninstallation flow that removes only the dropper while keeping the primary payload hidden and operational.
This comprehensive persistence strategy ensures the malware remains active even after multiple device reboots and survives standard user removal attempts.
The stolen credentials flow to the attackers’ command-and-control servers via Socket.IO communication channels.
The malware transmits device identifiers, bank account details, UPI PINs, and SMS messages containing one-time passwords to centralized monitoring dashboards.
With this complete data set, attackers execute unauthorized transactions and sell compromised information to criminal networks.
Public intelligence research reveals archived control panel interfaces exposing features for GPS tracking, microphone activation, and remote screen capture, confirming the operation extends beyond financial theft into comprehensive mobile surveillance.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
