A new variant of the fake NextGen mParivahan app has emerged, exploiting the trust users place in official government notifications to distribute malware.
This malicious software is distributed through seemingly legitimate traffic violation alerts via WhatsApp, luring victims into installing what they believe is the official app.
Infection Vector and Deceptive Tactics
The malware spreads under the guise of “NextGen mParivahan,” mimicking the legitimate app developed by India’s Ministry of Road Transport & Highways.
.png
)
Cybercriminals have rebranded this malware to coincide with the actual app’s rebranding, sending out fake traffic violation notifications containing vehicle registration details and ticket numbers to make their messages appear credible.
Once installed, this malicious app requests extensive permissions, camouflages its icon, and begins to exfiltrate sensitive data, including SMS messages, to a command-and-control (C2) server managed by the attackers.
Technical Analysis and Anti-Analysis Techniques
According to the Report, this variant employs several sophisticated techniques to evade detection:
- Malformed Multi-stage Dropper-Payload Architecture: The dropper application, named “e_challan_report,” is designed to bypass traditional analysis tools like Apktool, Jadx, Androguard, Bytecode Viewer, and even 7zip, by using an unsupported compression method in its APK structure. This strategy ensures that the malware can install successfully on Android 9 and above, where newer parsing methods overlook the manifest corruption errors seen in earlier Android versions.
- Stealthier C2 Extraction: A more advanced sample dynamically generates its C2 server URL at runtime, avoiding static storage which could be easily detected. This method involves loading a native library “libbunnycoban.so” to construct the C2 server address, showcasing the increasing sophistication in malware evasion techniques.
The malware not only steals SMS messages but also targets notifications from a range of apps including WhatsApp, social media, and e-commerce platforms.
This expansion in functionality signifies a significant leap in the threat level, compromising user privacy on multiple fronts.
Indicators of Compromise (IOCs)
Key IOCs for this malware include:
- URLs: Https[:]//cyberdefensetech[.]cc/
Users are advised to be vigilant about the apps they download, especially from sources outside the Google Play Store, and to grant permissions judiciously.
Employing trusted antivirus solutions like Quick Heal Mobile Security for Android can detect and mitigate such threats effectively.
Staying digitally safe in this era of stealthy Android malware requires diligence and a proactive approach to cybersecurity.
Always check for official updates from app developers directly through trusted channels, and be highly skeptical of notifications prompting app downloads from unsolicited messages.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
