Android Malware Campaign Targets Indian Users via Fake eChallan Alerts

The eChallan‑based scam illustrates how threat actors weaponize everyday civic communications to bypass user skepticism. By masquerading as official traffic‑violation notices, the SMS campaign achieves high click‑through rates, prompting victims to install seemingly innocuous APKs. Once installed, the dropper silently escalates privileges, gaining access to SMS, call logs, and even establishing a VPN tunnel to intercept traffic. This level of device control enables persistent credential harvesting and real‑time monitoring of user activity, turning a simple notification into a full‑blown financial intrusion.

Beyond mobile malware, the same social‑engineering playbook extends to browser‑based phishing. Attackers host cloned eChallan portals on shared IP addresses, often reusing global phishing templates translated into English. The fraudulent sites solicit vehicle and personal details before presenting a fabricated payment page that captures card numbers, CVVs, and expiration dates regardless of transaction success. Because no legitimate payment gateway is involved, the harvested data flows directly to criminal back‑ends, fueling card‑not‑present fraud and money‑laundering operations.

The convergence of APK droppers and phishing sites on common infrastructure signals a coordinated threat ecosystem. Shared servers host over three dozen domains impersonating RTO, logistics firms, and even Parivahan services, simplifying command‑and‑control and data exfiltration. For enterprises and consumers alike, the campaign underscores the urgency of robust mobile security hygiene, strict app source verification, and heightened awareness of unsolicited government‑related messages. Organizations should also monitor network traffic for anomalous VPN tunnels and enforce multi‑factor authentication to mitigate the fallout from credential theft.