Cybercriminals have employed another sophisticated malware campaign by mimicking India’s official “NextGen mParivahan” app, which included numerous examples of the latest deceptive tactics and digital theft. 

The threat represents a sophisticated multi-stage attack where cybercriminals use deceptively gained trust to take control of devices and covertly collect private information.

We will examine both the operational steps of this threat and its classification as one of the most dangerous mobile threats in recent history.

Stage 1: The Lure—A Trojan WhatsApp message

Users on WhatsApp encounter an official-looking traffic violation notification, which marks the beginning of the attack. These messages are unnervingly persuasive: The appearance of legitimacy stems from the use of ticket numbers and vehicle registration data along with formal language within the fraudulent message. The typical recipient sees this message as a standard government communication (although that’s hopefully more and less the case).

The link does not lead to the Google Play Store as intended. The link initiates a download of a fraudulent mParivahan application outside the Google Play Store that meticulously replicates the official app from India’s Ministry of Road Transport & Highways.

Stage 2: A convincing copy with a dangerous hidden agenda

Once installed, this malicious “NextGen mParivahan” app begins requesting extensive permissions. The app requires permission to send SMS messages and receive notifications, along with permission to install packages and access additional functionalities. 

The malware obtains these permissions by pretending to deliver genuine transport services to execute its surveillance operations. Then, the app icon also gets removed from the user’s device through a traditional bait-and-switch method. 

The application functions secretly in the background while it captures both incoming messages and notifications from apps such as WhatsApp and Telegram and extracts device-level information—acting as a digital vacuum cleaner—since it continuously collects streams of personal data.

Stage 3: A Trojan horse within another Trojan horse

The technical sophistication of the campaign becomes poignantly apparent at this stage. The fake app serves as a multifunctional malware dropper and not just an isolated malicious program. 

This form of malware functions as a dropper that installs further harmful software after obtaining initial permissions from victims.

The app update notification initiates a permission request to install apps from unknown sources. The essential action sets up the true malicious payload that consists of an APK responsible for executing primary functions that steal data.

The payload being analyzed does not represent a typical malware program. The payload intentionally contains malformed elements and uses a compression technique that standard analysis tools cannot process. Analysis tools such as Apktool and Jadx, along with Androguard and the 7zip decompressor, fail to process the file.

Why? The file hides from analysts because it uses an invalid compression value (0x1998) but runs successfully on Android 9 or newer versions. The payload causes applications on older devices running Android 8.1 to crash while simultaneously increasing the security risk for newer phones.

Stage 4: The app disappears, but the data keeps flowing

After malware deployment via the dropper application, the app becomes completely invisible. No icon. No launch screen. Your phone hosts an invisible parasite that operates silently behind the scenes. 

The app operates covertly on the user’s device, where it captures SMS communications and social media along with e-commerce notifications to transmit this information to command-and-control servers.

These malware variants conceal their backend servers through the integration of connection logic into compiled .so files that function as native libraries. The malware avoids static detection by dynamically generating the command-and-control server address during runtime through functions.

This isn’t just clever coding. This system actively defends against digital forensic investigations by creating obstacles.

Stage 5: The Takeover—Complete access, no detection

The attacker now possesses unrestricted access to every aspect of the victim’s digital existence. They obtain complete control of materials necessary for account hijacking and financial fraud through access to OTPs from banks and private message notifications, along with purchase updates and login attempt data.

The victim stays mostly oblivious since they encounter no suspicious pop-ups or battery drain and lack any app icon indication of malicious activity. Oh, and the users who even search for the app will not be able to locate it.

Why this attack is so dangerous

The threat presented by the fake mParivahan app stems from its ability to integrate several tactics into one seamless operation:

  • The social engineering approach replicates official government communications with fairly unusual precision.
  • Malware uses advanced technical stealth to avoid standard detection and analysis procedures.
  • The app employs dynamic command and control evasion techniques that adapt instantly and avoid detection through static analysis methods.
  • The threat steals multiple types of data while aiming at both SMS and Google Pay notifications.
  • The app uses Android version targeting to utilize the behavior of new OS versions to extend its reach.

This isn’t just a scam. It represents contemporary mobile espionage techniques that take advantage of systemic weaknesses in the overall assessment of trustworthiness and mobile app authenticity. 

The crooks aren’t just cloning apps. They’re cloning confidence—and using it against us.