Impersonation at Scale: Android Malware Masquerading as Government Services

Aegiron 11 mins0

Threat Details

This threat involves a set of malicious Android applications that disguise themselves as official government service apps. These apps claim to provide access to public services such as agricultural subsidies, vehicle registration details, traffic challans, electricity benefits, or other welfare-related schemes.

The malware is distributed outside the Google Play Store and relies on convincing users to install it manually. Once installed, it abuses Android permissions to gain access to SMS messages, contacts, notifications, and device information. The stolen data is then sent to attacker-controlled servers and is often used for financial fraud, account takeovers, and spreading the malware further.

This threat does not rely on software vulnerabilities. It works because users trust the branding and follow the instructions provided by the fake portals.

Overview and Summary

In simple terms, this malware pretends to be a government helper app but functions as a silent surveillance and fraud tool.

After installation, the app runs in the background, often hiding its icon so the user forgets about it. It continuously watches incoming messages, especially OTPs and banking alerts, and sends that information to the attacker. The infected phone is also used as a distribution channel by sending phishing messages to contacts directly from the victim’s number.

Multiple security vendors have observed the same techniques repeated across different campaigns, showing that this is a well-established attack model rather than an isolated incident.

How the Infection Happens (Detailed Flow)

1. Initial Lure

The attack starts with a message or post that looks official and urgent. Common delivery channels include:

  • WhatsApp messages
  • SMS
  • Social media posts
  • YouTube video descriptions or comments

The message typically promises a benefit or warns of a penalty, encouraging quick action.

Links are usually shortened using services like URL shorteners to hide their real destination.

2. Fake Government Website or Landing Page

The link leads to a website that closely resembles a real government portal. These pages often use:

  • Official-looking logos
  • Government-style language
  • Fake testimonials or notices

The page instructs the user to download an app to continue.

3. Sideloaded APK Installation

Instead of redirecting to the Play Store, the site provides a direct APK download. The user is guided step by step to enable “Install unknown apps” in Android settings.

This is a critical moment where Android warns the user, but the instructions on the page make it appear safe and necessary.

4. Dropper Technique (Two-Stage Installation)

The first APK installed is not the main malware. It acts as a dropper.

Inside this APK is another APK, typically located in the assets folder (for example, assets/app.apk). Once launched, the first app installs the second one automatically.

This approach helps the malware:

  • Avoid simple detection
  • Hide its real functionality
  • Delay malicious behavior until installation is complete

5. Permission Abuse

After installation, the malware requests permissions that give it extensive control:

  • Read SMS
  • Send SMS
  • Read contacts
  • Notification access
  • Sometimes overlay permissions or VPN access

These permissions allow the malware to intercept sensitive information and act without the user’s knowledge.

6. Stealth Operation

Once permissions are granted:

  • The app may remove its icon from the launcher
  • It runs continuously in the background
  • The user may believe the app is inactive or uninstalled

Despite this, the malware remains fully functional.

Malicious Activity on an Infected Device

After setup, the malware performs the following actions:

  • Monitors all incoming SMS messages in real time
  • Reads existing SMS messages stored on the device
  • Extracts OTPs, UPI verification codes, and banking alerts
  • Collects contact lists and basic device information
  • Sends collected data to remote servers using HTTP or HTTPS POST requests
  • Uses the infected device to send phishing messages to contacts
  • Displays fake payment or verification screens to collect credentials
  • Communicates with attackers using Firebase Cloud Messaging for remote control

Indicators of Compromise (IOCs)

Application-Level IOCs

  • App installed from outside the Google Play Store
  • App claims to represent a government service but lacks verified publisher details
  • Requests the following permissions together:
    • READ_SMS
    • SEND_SMS
    • READ_CONTACTS
    • Notification access
  • App icon disappears shortly after installation
  • Presence of a second APK embedded inside the first APK (dropper behavior)
  • App requests permission to disable battery optimization or run in background indefinitely

Network-Level IOCs

  • Outbound HTTP or HTTPS POST requests containing SMS-related fields such as:
    • Message
    • senderNum
    • phone
    • deviceId
    • smsdata
  • Communication with dynamically hosted domains or developer platforms
  • Use of URL shorteners during the infection chain
  • Repeated small data uploads at regular intervals
  • Firebase Cloud Messaging traffic originating from unknown or untrusted apps
  • Requests to paths commonly seen in campaigns, such as:
    • /addsm.php
    • /addup.php
    • /gate.html
    • /upload.php

Device and User Behavior IOCs

  • Sudden increase in SMS messages sent from the device
  • Contacts reporting suspicious or unexpected messages
  • Unexplained mobile data usage
  • Increased battery drain without visible foreground apps
  • Delays or failures in receiving legitimate OTP messages
  • Banking alerts indicating login attempts or transactions the user did not initiate

How This Threat Can Be Detected

Device / EDR / MDM Detection

  • Alert on any app installed via sideloading
  • Flag apps requesting SMS and contact permissions shortly after installation
  • Monitor notification access grants
  • Detect apps that hide or remove their launcher icon
  • Identify apps that install additional APKs at runtime
  • Monitor background services that persist after user interaction ends

Network / SIEM Detection

  • Detect outbound POST requests with SMS or contact-related parameters
  • Monitor connections to short-lived or free hosting services
  • Correlate suspicious network activity with recent app installations
  • Flag devices that combine Firebase messaging traffic with suspicious permissions
  • Detect abnormal SMS sending patterns at the network or carrier level

Detection Logic

A device should be investigated when:

  • An app is installed outside the Play Store
  • The app immediately requests SMS, contact, and notification permissions
  • The device starts sending SMS messages without user interaction
  • The device uploads data to unknown servers shortly after installation

When these behaviors appear together, the likelihood of malware is high.

Incident Response

If a device is suspected to be infected:

  1. Isolate the device from mobile data and Wi-Fi
  2. Identify and uninstall the suspicious application
  3. Revoke SMS, contact, and notification permissions
  4. Review SMS logs and transaction alerts
  5. Advise the user to reset banking, UPI, and account credentials
  6. Notify contacts who may have received phishing messages
  7. Block related indicators across security tools
  8. Report the incident to the appropriate national CERT or authority

Final Takeaway

This malware succeeds because it targets trust and urgency, not technical weaknesses. It exploits familiar government branding and relies on users following instructions without questioning them.

The most reliable defense is a combination of:

  • Restricting sideloaded apps
  • Monitoring permission abuse
  • Detecting abnormal behavior instead of relying only on known domains
  • Educating users about fake government applications

With proper controls and awareness, this type of threat can be detected early and contained before serious damage occurs.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.