Fake Government App Targets Indian Users in UPI Credential Theft Campaign

A recent Android malware campaign has been uncovered by McAfee Labs, targeting users in India under the guise of the ”PM Surya Ghar: Muft Bijli Yojana”, a government initiative offering energy subsidies. The attackers leverage fake government branding, phishing websites, GitHub-hosted APKs, and Firebase-based command-and-control to steal sensitive banking data, especially UPI credentials, and propagate the malware further through smishing attacks.

Severity Level: High

Threat Overview

Target and Lure

• The campaign primarily targets Indian Android users by mimicking the official energy subsidy program, PM Surya Ghar.
• Victims are lured via YouTube videos promoting fake subsidy benefits and redirected to phishing websites hosted on GitHub.
• These websites imitate official government portals and offer an APK download disguised as a “government subsidy app.”
  

Attack Details

• Phishing Website: Redirects to a GitHub-hosted page resembling an official portal; displays a fake Google Play button.
• Malware Delivery: Clicking the Play button downloads an APK from GitHub containing the loader (PMBY) and embedded payload (PMMBY).
• Deception & Evasion: Users are asked to disable internet during install, tricked into installing a “Secure Update” app. This bypasses cloud-based malware scanners.
• Credential Harvesting: Fake forms collect user data and prompt a ₹1 UPI transaction – used to harvest UPI PINs and phone numbers.
• Command & Control: Uses Firebase Cloud Messaging (FCM) to issue commands (e.g., send SMS, upload SMS, steal messages).
• Propagation: Sends smishing messages from infected devices to spread itself further.
  

Permissions Abused

• READ_CONTACTS, READ_SMS, SEND_SMS, CALL_PHONE
• Notification access (for stealthy activity)
• Background execution through FCM command triggers
  

Recommendations

1. Deploy mobile endpoint protection capable of offline threat detection and APK analysis.
2. Ensure APK file scanning and behavioral analysis are enforced before installation. Block sideloading from unknown sources via MDM.
3. Educate users about fake government schemes and to avoid clicking links in unsolicited YouTube videos or social media.
4. Avoid downloading apps from unofficial websites, especially those offering benefits like subsidies, rewards, or financial aid.
5. Train users to avoid apps that request disabling internet during installation — this is a strong red flag.
6. Ensure users understand what app permissions mean. Deny any app requesting sensitive access (SMS, contacts) without valid need.
7. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/19298783082e0ab33ae8b6a5bd66f1003c3e777cdfa588841820c527aafb98d2/iocs

Source:

• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.