{"id":220163,"date":"2025-08-18T18:39:23","date_gmt":"2025-08-19T01:39:23","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=220163"},"modified":"2025-08-19T08:02:57","modified_gmt":"2025-08-19T15:02:57","slug":"android-malware-promises-energy-subsidy-to-steal-financial-data","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-malware-promises-energy-subsidy-to-steal-financial-data\/","title":{"rendered":"Android Malware Promises Energy Subsidy to Steal Financial Data"},"content":{"rendered":"

Authored by ZePeng Chen<\/p>\n

Recently, we identified an active Android phishing campaign targeting Indian users. The attackers impersonate a government electricity subsidy service to lure victims into installing a malicious app. In addition to stealing financial information, the malicious app also steals text messages, uses the infected device to send smishing messages to user\u2019s contact list, can be remotely controlled using Firebase and phishing website and malware was hosted in GitHub. This attack chain leverages YouTube videos, a fake government-like website, and a GitHub-hosted APK file\u2014forming a well-orchestrated social engineering operation. The campaign involves fake subsidy promises, user data theft, and remote-control functionalities, posing a substantial threat to user privacy and financial security.<\/p>\n

McAfee, as part of the App Defense Alliance committed to protecting users and the app ecosystem, reported the identified malicious apps to Google. As a result, Google blocked the associated FCM account to prevent further abuse. McAfee also reported the GitHub-hosted repository to GitHub Developer Support Team, which took action and already removed it from GitHub. McAfee Mobile Security detects these malicious applications as a high-risk threat. For more information, and to get fully protected, visit McAfee Mobile Security.<\/p>\n

Background<\/h2>\n

The Government of India<\/a> has approved the PM Surya Ghar: Muft Bijli Yojana on 29th February, 2024 to increase the share of solar rooftop capacity and empower residential households to generate their own electricity. The scheme provides for a subsidy of 60% of the solar unit cost for systems up to 2kW capacity and 40 percent of additional system cost for systems between 2 to 3kW capacity. The subsidy has been capped at 3kW capacity. The interested consumer has to register on the National Portal. This has to be done by selecting the state and the electricity distribution company. Scammers use this subsidy activity to create phishing websites and fake applications, stealing the bank account information of users who want to apply for this subsidy.<\/p>\n

Technical Findings<\/h2>\n

Distribution Methods<\/h3>\n

This phishing operation unfolds in multiple stages:<\/p>\n

    \n
  1. YouTube Video Lure<\/strong>: The attackers upload promotional videos claiming users can receive \u201cgovernment electricity subsidies\u201d through a mobile app. A shortened URL is included in the video description to encourage users to click.<\/li>\n<\/ol>\n

    \"\"<\/p>\n

    Figure 1<\/strong>. YouTube video promoting the phishing URL<\/p>\n

     <\/p>\n

    \u00a0 \u00a0 \u00a02. Phishing Website Imitation: <\/strong>The shortened URL redirects to a phishing website hosted on GitHub. it designed to closely resemble an official Indian government portal<\/a>.<\/p>\n

     <\/p>\n

    \"\"<\/p>\n

    Figure 2.<\/strong> Phishing and official website<\/p>\n

    The phishing site has a fake registration process instruction, once the users believe this introduction, they will not have any doubts about the following processes. The phishing site also has a fake Google Play icon, making users believe it’s a Google Play app, but in reality, the icon points to an APK file on GitHub. When victims click the Google Play icon, it will download the APK from GitHub repository instead of accessing Google Play App Store.<\/p>\n

    \u00a0 \u00a0 3. GitHub-Hosted APK and Phishing page<\/strong><\/p>\n

    Both the phishing site source and the APK file are hosted on the same GitHub repository\u2014likely to bypass security detection and appear more legitimate. The repository activity shows that this malicious app has been continuously developed since October 2024, with frequent updates observed in recent weeks.<\/p>\n

     <\/p>\n

    \"\"<\/p>\n

    Figure 3.<\/strong> Malware repository in GitHub<\/p>\n

    Installation without network<\/h2>\n

    The downloaded APK is not the main malicious component. Instead, it contains an embedded APK file at assets\/app.apk, which is the actual malware. The initial APK serves only to install the embedded one. During installation, users are deceived into believing they are installing a \u201csecurity update\u201d and are prompted to disable mobile data or Wi-Fi, likely to reduce the effectiveness of malware detection solutions that use detection technologies in the cloud. But McAfee is still able to detect this threat in offline mode<\/p>\n

     <\/p>\n

    \"\"<\/p>\n

    Figure 4.<\/strong> Install a malicious APK without a network<\/p>\n

    According to the installation instructions, a malicious application will be installed. There are 2 applications that are installed on devices.<\/p>\n