Entrar
Android Malware Campaign Targets Indian Users via Fake eChallan Alerts
20 de Março de 2026, 04:53
Android Malware Campaign Exploits eChallan and RTO Challan Trust
A common message reads: “Your vehicle challan has been generated. Download the receipt from the link below.” The link or attachment leads users to download malicious APK files named “RTO Challan.apk,” “RTO E Challan.apk,” or even “MParivahan.apk.” As highlighted by CERT-In, these files act as entry points for a multi-stage malware infection. Once installed, the application appears in the app drawer, giving the illusion of legitimacy. However, it is only a dropper component. The actual malicious payload is deployed when users tap on prompts like “Install Update.”Multi-Stage Malware and Device Compromise
Once activated, the malware continues the eChallan theme but becomes invisible to the user by not appearing in the app list. At this stage, it aggressively requests sensitive permissions, including access to SMS messages, phone calls, and background activity. This level of access allows attackers to maintain persistence on the device without detection. In some cases, the malware also requests permission to establish a VPN connection, enabling threat actors to monitor and intercept internet traffic. The ultimate goal of this Android malware campaign is financial theft. Fake interfaces resembling legitimate RTO Challan or banking pages are displayed to trick users into entering sensitive information such as card details and login credentials.Parallel Rise of Browser-Based eChallan Phishing
Last year, Cyble Research and Intelligence Labs (CRIL) reported a related surge in browser-based phishing attacks leveraging the eChallan ecosystem. Unlike APK-based threats, this variation does not require users to install any application, significantly lowering the barrier for compromise. These phishing campaigns begin similarly, with SMS messages targeting Indian vehicle owners. The messages contain deceptive URLs that mimic official eChallan portals. Once clicked, users are redirected to cloned websites that closely replicate government platforms, complete with official insignia and branding. At the time of investigation, many of these phishing domains remained active, indicating an ongoing and well-maintained operation rather than isolated incidents.Anatomy of the Phishing Attack
The browser-based eChallan fraud follows a structured attack chain:- Stage 1: SMS Delivery: Victims receive messages claiming overdue fines, often with threatening language about legal action. The sender appears as a regular mobile number, increasing credibility.
- Stage 2: Fake Portal Redirection: Clicking the link redirects users to phishing domains hosted on IP addresses such as 101[.]33[.]78[.]145. Interestingly, some pages are originally written in Spanish and translated into English, suggesting reuse of global phishing templates.
- Stage 3: Fabricated Challan Generation: Users are asked to input details like vehicle number, challan number, or driving license number. Regardless of the input, the system generates a realistic-looking challan, often with a fine amount such as INR 590 and a near-term deadline. This psychological tactic reinforces trust.
- Stage 4: Financial Data Harvesting: When users proceed to payment, they are directed to a fake payment page that only accepts credit or debit cards. No legitimate payment gateway is used. Instead, sensitive details like CVV, expiry date, and cardholder name are captured directly. Testing revealed that even invalid card entries are accepted, confirming that data is harvested regardless of transaction success.
