Overview
Traboda CyberLabs has investigated an Android malware campaign that impersonates the PM-KISAN mobile app. The campaign is distributed via messaging apps and uses a convincing fake “Google Play update” flow to trick victims into enabling sideloading and installing a malicious APK. Rather than exploiting an OS vulnerability, the attackers rely on social engineering to gain installation and permission consent.
The threat uses a two-stage design: a lightweight dropper that obtains installation rights and then silently installs a second-stage payload that conducts persistent data collection and exfiltration.
Infection Chain
- Malicious APK delivered via messaging apps – appears as a government/update package.
- Fake update UI – prompts the user to allow installation of unknown apps.
- Two-stage install – dropper installs a secondary payload that uses the same icon/name to avoid detection.
- Permission abuse – the payload requests SMS and phone-state permissions plus background execution privileges.
- Data collection & exfiltration – harvested data (SMS, device & SIM metadata) is transmitted to attacker infrastructure through redundant channels.
- Persistence – the payload registers for manufacturer-specific auto-start and requests battery-optimization exemptions to remain active after reboots and under idle conditions.
Key Technical Findings
Native String Obfuscation & Runtime Decryption
Sensitive configuration strings (e.g., C2 endpoint URLs) are stored encrypted and only decrypted at runtime using a native library. We reverse-engineered the decryption routine offline to extract the full payload configuration.
Dual Exfiltration Channels
The malware uses multiple exfiltration channels so that blocking one does not prevent data leakage. In our controlled analysis we observed both direct HTTP exfiltration and a third-party messaging API used to relay stolen content.
SMS Interception & Forwarding
A broadcast receiver captures inbound SMS messages before the native messaging client can process them. Captured messages are included in exfiltration payloads and—depending on remote configuration—forwarded onward to attacker destinations. This capability directly compromises any authentication processes that rely on SMS-delivered OTPs.
Persistence & Evasion Techniques
The payload adapts to device vendor customizations to register auto-start entries and explicitly requests exemptions from battery management, reducing the likelihood of being killed by the OS. These techniques significantly increase the effort required for cleanup and automated detection.
Risk Assessment
| Factor | Rating | Notes |
|---|---|---|
| Impact on users | High | Direct financial + identity risk |
| Campaign resilience | High | Obfuscation + redundancy |
| Target profile | Broad | Exploits trust in govt branding |
Recommendations
For Individual Users
- Never install APKs received via messaging apps. Install apps only from official app stores.
- Disable the “install unknown apps” setting (or restrict it tightly) and avoid granting it casually.
- Prefer authenticator apps or hardware tokens over SMS-based OTPs wherever possible.
- If an app requests SMS or phone-state permissions unexpectedly, do not grant them – uninstall immediately and perform a device scan.
For IT/infosec teams & enterprises
- Enforce Mobile Device Management (MDM) policies that block or alert on apps that request SMS/phone permissions.
- Detect sudden enrollment of apps requesting background-execution or auto-start privileges and quarantine such devices for inspection.
- Block or monitor known malicious app distribution channels internally (e.g., attachments or links in messaging apps if policy allows).
- Educate employees about the risk of sideloading and how to identify fake update prompts.
- Gradually phase out SMS OTPs for sensitive services and adopt stronger MFA solutions.
Why this Matters
This campaign is a clear example of threat actors weaponizing user trust in official branding. By impersonating a government program and using a familiar update UX, the attackers successfully bypass technical protection barriers through social engineering. The use of native runtime decryption and redundant exfiltration channels shows operational sophistication and intent to maintain long-term access.
Full Technical Report & Disclosure
This public summary intentionally excludes forensic artefacts and IOCs. The full technical report contains comprehensive analysis and indicators intended for security teams, CERTs, and incident responders. Organizations and researchers who need the IOCs and forensic details can contact our team for secure access and coordination.
