A new Android malware campaign targeting Indian users has been reported by the Indian Computer Emergency Response Team, CERT-In. According to the agency, multiple reports indicate a coordinated effort by cybercriminals to steal sensitive financial and personal data through deceptive mobile applications and phishing techniques. 

The ongoing Android malware campaign revolves around fraudulent messages posing as official eChallan or RTO Challan alerts. Victims typically receive SMS notifications claiming that a traffic violation has been recorded against their vehicle. These messages often include alarming language such as legal threats or additional penalties, urging immediate action. 

Android Malware Campaign Exploits eChallan and RTO Challan Trust 

A common message reads: “Your vehicle challan has been generated. Download the receipt from the link below.” The link or attachment leads users to download malicious APK files named “RTO Challan.apk,” “RTO E Challan.apk,” or even “MParivahan.apk.” 

As highlighted by CERT-In, these files act as entry points for a multi-stage malware infection. Once installed, the application appears in the app drawer, giving the illusion of legitimacy. However, it is only a dropper component. The actual malicious payload is deployed when users tap on prompts like “Install Update.” 

Multi-Stage Malware and Device Compromise 

Once activated, the malware continues the eChallan theme but becomes invisible to the user by not appearing in the app list. At this stage, it aggressively requests sensitive permissions, including access to SMS messages, phone calls, and background activity. 

This level of access allows attackers to maintain persistence on the device without detection. In some cases, the malware also requests permission to establish a VPN connection, enabling threat actors to monitor and intercept internet traffic. 

The ultimate goal of this Android malware campaign is financial theft. Fake interfaces resembling legitimate RTO Challan or banking pages are displayed to trick users into entering sensitive information such as card details and login credentials. 

Parallel Rise of Browser-Based eChallan Phishing 

Last year, Cyble Research and Intelligence Labs (CRIL) reported a related surge in browser-based phishing attacks leveraging the eChallan ecosystem. Unlike APK-based threats, this variation does not require users to install any application, significantly lowering the barrier for compromise. 

These phishing campaigns begin similarly, with SMS messages targeting Indian vehicle owners. The messages contain deceptive URLs that mimic official eChallan portals. Once clicked, users are redirected to cloned websites that closely replicate government platforms, complete with official insignia and branding. 

At the time of investigation, many of these phishing domains remained active, indicating an ongoing and well-maintained operation rather than isolated incidents. 

Anatomy of the Phishing Attack 

The browser-based eChallan fraud follows a structured attack chain: 

• Stage 1: SMS Delivery: Victims receive messages claiming overdue fines, often with threatening language about legal action. The sender appears as a regular mobile number, increasing credibility. 
• Stage 2: Fake Portal Redirection: Clicking the link redirects users to phishing domains hosted on IP addresses such as 101[.]33[.]78[.]145. Interestingly, some pages are originally written in Spanish and translated into English, suggesting reuse of global phishing templates. 
• Stage 3: Fabricated Challan Generation: Users are asked to input details like vehicle number, challan number, or driving license number. Regardless of the input, the system generates a realistic-looking challan, often with a fine amount such as INR 590 and a near-term deadline. This psychological tactic reinforces trust. 
• Stage 4: Financial Data Harvesting: When users proceed to payment, they are directed to a fake payment page that only accepts credit or debit cards. No legitimate payment gateway is used. Instead, sensitive details like CVV, expiry date, and cardholder name are captured directly. Testing revealed that even invalid card entries are accepted, confirming that data is harvested regardless of transaction success. 

Shared Infrastructure and Expanding Threat Landscape 

Investigations revealed that this Android malware campaign and related phishing operations are supported by a shared backend infrastructure. Multiple domains impersonating eChallan, logistics services like DTDC and Delhivery, and financial institutions were hosted on the same IP addresses. 

Over 36 phishing domains linked to RTO Challan scams were identified on a single server. Another IP, 43[.]130[.]12[.]41, hosted additional domains mimicking Parivahan services using deceptive naming patterns such as “parizvaihen[.]icu.”