Fake eChallan Android Malware Targets Indian Users Through SMS Fraud and Credential Theft

By Ash K
Fake eChallan Android Malware Targets Indian Users Through SMS Fraud and Credential Theft

Indian users are being targeted in a coordinated Android malware campaign that abuses the country’s eChallan ecosystem, using fear, urgency and official-looking transport notices to trick victims into infecting their own phones. The lures arrive as SMS messages or links claiming a pending traffic fine or RTO challan, often warning of penalties or legal action if the recipient fails to act quickly.

What makes the campaign especially effective is how closely it mirrors legitimate public-service workflows. The messages borrow the language of traffic enforcement, mimic familiar government services, and push users toward APK files with names such as RTO Challan.apk, RTO E Challan.apk, and MParivahan.apk. To a hurried user, the file names can appear routine. In reality, they are the first stage of a multi-step compromise.

How the fake eChallan malware works

The malicious apps do not always carry out the full attack immediately. Instead, researchers describe them as droppers, lightweight first-stage applications designed to appear legitimate while quietly preparing the real payload. Once installed, the app may show a familiar icon or basic interface to avoid suspicion, then prompt the user to install an “update” or grant a series of permissions.

That second step is where the real damage begins. The hidden payload can be installed outside the user’s view and may not appear normally in the app drawer. By separating the infection into stages, the attackers make the scam more believable and reduce the chance that victims will recognise the app as malicious before the compromise is complete.

This layered approach also gives the operators flexibility. The same initial lure can be reused with different backend payloads, phishing kits, or infrastructure depending on the target, the device, or the bank and payment services they want to impersonate.

Why the permission requests are so dangerous

Once active, the malware aggressively seeks access to sensitive device functions. That can include SMS permissions, call-related access, background execution rights, and in some cases VPN privileges. Individually, some of these requests may not look unusual to non-technical users. Together, they give the attacker an unusually broad view of both the phone and the victim’s online activity.

VPN access is particularly concerning. If granted, it can allow traffic flowing through the device to be monitored or redirected, creating opportunities to intercept sensitive data, view payment activity, or manipulate what the victim sees during banking or challan-related transactions. Combined with access to SMS, the attackers can potentially capture one-time passwords and other authentication messages in real time.

The result is not just a phishing page or a one-off credential theft attempt. It is a path toward persistent visibility into the user’s communications, transactions and mobile session flow, which can sharply increase the chances of successful financial fraud.

From fake challan notice to financial theft

The campaign does not end with malware delivery. Investigators say victims are frequently pushed toward fake RTO or banking payment pages that imitate legitimate portals but do not use trusted payment gateways. These pages are designed to harvest debit card details, login credentials and other data directly from the victim.

That matters because the scam blends technical compromise with classic social engineering. The phone is infected, but the victim is still nudged into typing in the information that enables fraud. In some cases, the attackers can combine stolen credentials with intercepted OTPs and session data, giving them multiple routes to monetise the intrusion.

Indian police reporting in recent months shows how expensive these scams can become. Victims in separate fake challan cases have lost amounts ranging from several lakhs to more than ₹10 lakh, underlining that this is no longer a niche nuisance campaign but a serious financial crime problem.

Parivahan branding often impersonated in fake challan and transport scams
Attackers lean on familiar transport-service branding to make fraudulent notices look credible.

A wider infrastructure built for impersonation

The malware campaign appears to sit inside a broader fraud ecosystem rather than operating as a single isolated scam. Investigations have identified shared backend infrastructure hosting numerous phishing domains that impersonate eChallan services, Parivahan-related workflows, and even logistics brands such as DTDC and Delhivery.

That overlap is important. It suggests the operators are not merely targeting vehicle owners at random, but are reusing templates, domains, payment flows and hosting environments across multiple trust-based scams. One day the lure may be a traffic penalty. The next, it may be a courier notification or a transport-services alert.

This kind of modular fraud infrastructure allows threat actors to scale quickly, rotate brands, and adapt their message to what people are most likely to believe. It also makes disruption harder, because taking down one domain or one APK does not necessarily dismantle the whole operation.

Why Indian Android users are being singled out

India presents a highly attractive environment for this kind of attack. Android dominates the smartphone market, APK sideloading remains common enough to be exploitable, and people are increasingly used to receiving official-looking digital notices about payments, deliveries, identity checks and traffic enforcement. Attackers are taking advantage of that familiarity.

The fake eChallan lure works because it creates immediate pressure. Many users may worry that failing to respond could affect their vehicle records, trigger fines, or cause legal trouble. That emotional pressure reduces the chance they will slow down, verify the source, or question why an official service is asking them to install an APK from a link.

It is a reminder that mobile attacks do not always need sophisticated zero-days to succeed. In many cases, believable branding, a well-timed message and a malicious file are enough.

What users and organisations should do now

The most important defence is also the simplest: do not install APK files sent through SMS, WhatsApp, Telegram or unknown links, especially if they claim to be related to traffic challans, transport penalties or urgent payment notices. Legitimate government services do not require users to sideload apps from random links in messages.

Users should verify any challan only through official government portals or trusted apps downloaded from the Google Play Store. If an app unexpectedly asks for SMS access, background activity rights, accessibility permissions, or VPN control when all it claims to do is show a fine or process a payment, that should be treated as a major red flag.

For defenders, the campaign is another sign that mobile phishing in India is becoming more coordinated, more modular and more financially motivated. The lures may look local and familiar, but the underlying tradecraft is increasingly mature, blending malware delivery, phishing infrastructure and payment fraud into one seamless trap.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.