Malicious ‘mParivahan’ Clone Spreads via WhatsApp, Harvesting Users’ Sensitive Data

A fraudulent version of the government transport app ‘NextGen mParivahan,’ designed to steal sensitive user data, is now circulating widely through WhatsApp, cybersecurity experts warn.

The malicious application masquerades as the Ministry of Road Transport & Highways’ official app but operates as a high-tech Android malware, leveraging deceptive techniques to harvest SMS data, monitor notifications, and steal financial credentials.

The app is largely spread via fake traffic violation notifications, luring users into unknowingly installing the malware.

This development follows previous iterations of malware disguised as government apps, but the current variant introduces advanced obfuscation techniques, multi-stage payload mechanisms, and dynamic command-and-control (C2) servers, complicating detection and analysis while posing a significant threat to Android users.

Advanced Tactics and Capabilities of the Malware

Branded as “NextGen mParivahan,” the malware campaign employs sophisticated methods to evade security systems.

Attackers send victims fake traffic violation messages containing vehicle registration details and ticket numbers to establish credibility.

Unsuspecting users clicking the provided links are redirected to download the malicious app, which falsely claims to offer services like tracking fines and digital access to registration certificates and licenses.

According to the Report, upon installation, the malware requests permissions for SMS and notification access, hiding its icon to avoid detection.

Once permissions are granted, it begins exfiltrating sensitive information, including messages, payment-related SMS, and device details.

A key feature of this variant is its ability to harvest notifications from popular apps such as WhatsApp, Telegram, Facebook, and Google Pay, increasing its data-theft potential.

The latest variant employs two distinct methods for C2 communication:

1. Malformed Dropper-Payload Architecture: The app uses a uniquely compressed APK file that bypasses standard Android analysis tools by corrupting core XML files.
2. Stealthy Native C2 Extraction: The malware dynamically generates its C2 server information during runtime using custom libraries (.so files), effectively concealing its operational backend from static analysis tools.

Additionally, stolen data is routed through Firebase databases or attacker-controlled C2 servers, making it accessible to threat actors in real time.

Indicators of Compromise (IOCs)

Malicious URLs:

• https[:]//cyberdefensetech[.]cc/

APK Details:

• First Variant (Dropper-Payload):
• Dropper APK Name: e_challan_report
• Payload APK Name: parivahan
• MD5 Checksum: ad4626eff5238ce7c996852659c527bc
• Second Variant (Stealthy Notification Stealer):
• APK Name: NextGen mParivahan.apk
• MD5 Checksum: 8bf7ea1c35697967a33c0876df5f30b9
• Targeted Applications: WhatsApp, Amazon, Facebook, Gmail, Zomato, Google Messages, Telegram

Anti-Analysis Features

The malware deploys several tactics to hamper cybersecurity efforts, including:

• Corrupting APK files to make them incompatible with popular analysis tools like Apktool, Jadx, and 7Zip.
• Using dynamic payload execution to operate seamlessly on Android 9+ devices while failing on earlier versions (e.g., Android 8.1).
• Requesting sensitive permissions like RECEIVE_SMS, READ_SMS, QUERY_ALL_PACKAGES, and REQUEST_INSTALL_PACKAGES to enable advanced data exfiltration.

To protect against this emerging threat, users should adhere to strict cybersecurity practices:

• Only download applications from official and trusted sources like the Google Play Store.
• Avoid clicking on links received via SMS or social media, even if they appear legitimate.
• Carefully review permission requests before granting access, especially for SMS and notifications.
• Use robust mobile antivirus software (e.g., Quick Heal Mobile Security) to detect and block malicious applications.

The rise of this malicious ‘mParivahan’ clone highlights the increasing sophistication of Android malware campaigns.

By exploiting official app rebranding and employing cutting-edge obfuscation techniques, cybercriminals continue to stay ahead of traditional security measures, posing severe privacy and financial risks to users.

Staying vigilant, practicing secure mobile habits, and utilizing modern cybersecurity tools remain crucial in mitigating such threats.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates