India’s cybersecurity agency, CERT-In, has issued an alert about a new Android malware campaign specifically targeting users across the country. The agency has received multiple reports pointing to a coordinated operation by cybercriminals aimed at stealing sensitive financial and personal information through misleading mobile apps and phishing tactics.

The attack primarily uses fraudulent messages disguised as official eChallan or RTO challan notifications. Victims receive SMS alerts claiming a traffic violation linked to their vehicle, often accompanied by urgent or threatening language about penalties or legal consequences to prompt immediate action.

One commonly reported message states: "Your vehicle challan has been generated. Download the receipt from the link below." These messages include links or attachments that prompt users to download malicious APK files such as “RTO Challan.apk,” “RTO E Challan.apk,” or “MParivahan.apk.”

CERT-In explains that these apps initiate a multi-stage malware infection. After installation, the app appears legitimate by showing up in the app drawer. However, it functions only as a dropper, with the actual malicious payload activated when users click prompts like “Install Update.”

Once triggered, the malware continues to mimic the eChallan theme but becomes hidden from the user by disappearing from the app list. It then aggressively seeks permissions to access SMS, calls, and background processes.

With such extensive access, attackers can maintain long-term control over the device without detection. In certain cases, the malware also requests VPN permissions, allowing cybercriminals to monitor and intercept internet activity. The end objective is financial fraud, achieved through fake interfaces that resemble official RTO or banking pages, tricking users into sharing card details and login credentials.

In addition to malicious apps, researchers from Cyble Research and Intelligence Labs (CRIL) previously identified a rise in browser-based phishing attacks leveraging the eChallan system. These attacks do not require any app installation, making them easier to execute.

Similar to the APK-based approach, victims receive SMS messages with deceptive links. Clicking these links redirects users to cloned websites designed to closely imitate official government portals, complete with logos and branding elements.

At the time of investigation, many of these phishing websites were still active, indicating a sustained and organized campaign rather than isolated attempts.

The browser-based fraud typically follows a structured sequence:

Further investigation revealed that both the malware and phishing campaigns rely on shared backend infrastructure. Multiple fraudulent domains impersonating eChallan services, logistics companies like DTDC and Delhivery, and financial institutions were hosted on the same servers.

More than 36 phishing domains linked to RTO challan scams were discovered on a single server. Another IP address, 43[.]130[.]12[.]41, hosted additional domains mimicking Parivahan services using deceptive naming patterns such as “parizvaihen[.]icu.”