{"id":127133,"date":"2021-09-03T11:33:11","date_gmt":"2021-09-03T18:33:11","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=127133"},"modified":"2025-06-03T21:34:55","modified_gmt":"2025-06-04T04:34:55","slug":"phishing-android-malware-targets-taxpayers-in-india","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/phishing-android-malware-targets-taxpayers-in-india\/","title":{"rendered":"Phishing\u00a0Android\u00a0Malware\u00a0Targets Taxpayers in\u00a0India"},"content":{"rendered":"

Authored b<\/span>y\u00a0ChanUng\u00a0Pak\u00a0<\/span>\u00a0<\/span><\/p>\n

McAfee\u2019s\u00a0Mobile\u00a0Research team\u00a0recently\u00a0found a new Android malware,\u00a0Elibomi,\u00a0targeting taxpayers in India. The malware\u00a0steals\u00a0sensitive financial and private information\u00a0via phishing by pretending to be\u00a0a tax-filing\u00a0application.\u00a0We have\u00a0identified two main campaigns\u00a0that used\u00a0different fake app themes\u00a0to lure in taxpayers.\u00a0The first campaign\u00a0from\u00a0November 2020\u00a0pretended to be a fake IT certificate application while\u00a0the second campaign,\u00a0first seen in\u00a0May 2021,\u00a0used the fake tax-filing\u00a0theme.\u00a0With this discovery, the McAfee Mobile Research team has been able to update\u00a0McAfee Mobile Security\u00a0so that it\u00a0detects\u00a0this threat\u00a0as Android\/Elibomi\u00a0and\u00a0alerts\u00a0mobile users if this malware is present in their devices.<\/span>\u00a0<\/span><\/p>\n

During our investigation, we found that in the latest campaign the malware is delivered using an SMS text phishing attack. The SMS message pretends to be from the Income Tax Department in India and uses the name of the targeted user to make the SMS phishing attack more credible and increase the chances of infecting the device. The fake app used in this campaign is designed to capture and steal the victim\u2019s sensitive personal and financial information by tricking the user into believing that it is a legitimate tax-filing app.\u00a0<\/span><\/p>\n

We\u00a0also found that\u00a0Elibomi\u00a0exposes\u00a0the\u00a0stolen\u00a0sensitive information to anyone on the Internet. The stolen data includes\u00a0e-mail\u00a0addresses, phone numbers,\u00a0SMS\/MMS messages\u00a0among other\u00a0financial and personal identifiable information.\u00a0McAfee has\u00a0reported the\u00a0servers exposing the data and at the time of\u00a0publication of this blog\u00a0the\u00a0exposed\u00a0information\u00a0is\u00a0no longer available.<\/span>\u00a0<\/span><\/p>\n

Pretending to be an app from the\u00a0Income Tax Department\u00a0in\u00a0India<\/span>\u00a0<\/span><\/h2>\n

The latest and most recent Elibomi campaign uses a fake tax-filing app theme and pretends to be from the Income Tax Department from the Indian government. They even use the original logo to trick the users into installing the app. The package names (unique app identifiers) of these fake apps consist of a random word + another random string + imobile (e.g. \u201cdirect.uujgiq.imobile\u201d and \u201colayan.aznohomqlq.imobile\u201d). As mentioned before this campaign has been active since at least May 2021.<\/span>\u00a0<\/span><\/p>\n

After\u00a0all the required permissions are\u00a0granted,\u00a0Elibomi\u00a0attempts to collect\u00a0personal\u00a0information like\u00a0e-mail\u00a0address,\u00a0phone number and SMS\/MMS messages\u00a0stored in the infected\u00a0device:<\/span>\u00a0<\/span><\/p>\n

Prevention and defense<\/span>\u00a0<\/span><\/h2>\n

Here are our recommendations to avoid being affected by this and other Android threats that use social engineering to convince users to install malware disguised as legitimate apps:<\/span>\u00a0<\/span><\/p>\n