NexusRoute Uncovered: Android RAT Impersonates Indian E-Challan via GitHub for UPI Fraud & Surveillance

A sophisticated new cybercrime operation is exploiting the trust of millions of Indian citizens by weaponizing the country’s burgeoning digital public infrastructure. A new report from CYFIRMA reveals that a campaign dubbed “NexusRoute” is systematically impersonating Indian Government Ministry services—specifically the mParivahan and e-Challan platforms—to deploy a potent mix of financial fraud and surveillance malware.

The campaign stands out for its high level of coordination and its abuse of legitimate developer platforms. “The NexusRoute threat campaign represents a highly coordinated and financially motivated Android malware and phishing operation that actively impersonates the Indian Government Ministry and the official mParivahan and e-Challan ecosystem”.

Unlike typical scams that rely solely on fleeting domains, NexusRoute has anchored its infrastructure in the trusted ecosystem of GitHub. Threat actors have flooded the platform with repositories hosting malicious APKs and phishing pages that mimic official “NexGen mParivahan” download portals.

“The campaign distributes malicious APKs through GitHub repositories and GitHub Pages, while simultaneously deploying large clusters of phishing domains,” the report notes. By using mass-registered domains like rtochallan[digits].store, the attackers create a redundant network designed to survive takedowns.

Victims are lured into these traps under the guise of verifying vehicle ownership or paying traffic challans. The phishing portals engineered by the group are designed to steal “mobile numbers, vehicle data, UPI PINS, OTPs, and card details” through fake payment verification flows that demand a token 1 payment.

Once a victim is tricked into installing the malicious application, the true danger begins. NexusRoute deploys a highly advanced Android Remote Access Trojan (RAT) that uses native code to hide its tracks.

“Technical analysis reveals a multi-stage, native-backed malware framework featuring dynamic code loading, full obfuscation, BroadcastReceiver-based persistence, SMS hijacking, device fingerprinting, and covert data exfiltration”.

The malware goes to great lengths to remain undetected and persistent on infected devices:

• Deep Persistence: It abuses OEM-specific features and system alerts to maintain long-term access, effectively preventing easy termination.
• Surveillance Suite: The RAT is capable of “SMS interception, SIM profiling, contact theft, call-log harvesting, file access, screenshot capture, microphone activation, and GPS tracking”.
• Anti-Analysis: By using JNI-based native payloads, the core logic is hidden from standard Java analysis tools, significantly complicating reverse engineering efforts.

Perhaps the most intriguing finding is the potential origin of the toolchain. CYFIRMA researchers discovered hardcoded artifacts linking the malware to a commercial Android obfuscation ecosystem known as “Gymkhana Studio.”

An embedded email address, gymkhana.studio@gmail.com, was found within the malware’s crash-reporting routine. OSINT analysis connects this identity to a broader marketplace of “Android obfuscation, APK protection, and spyware tooling,” suggesting the operation is supported by a professionally maintained infrastructure rather than being a low-skill scam.

The dual threat of financial theft and intrusive surveillance makes NexusRoute a critical risk to national security and public trust. The malware’s ability to automate UPI fraud and capture screen content gives attackers unprecedented control over victim devices.

“OSINT correlation further links the malware toolchain to a broader commercial Android obfuscation and surveillance tooling ecosystem, confirming this as a professionally maintained, large-scale fraud and surveillance infrastructure rather than a low-skill scam operation”.

Security teams and telecom providers are urged to take immediate action to disrupt the C2 infrastructure and takedown the hosting repositories.

Related Posts:

• Phishing Scam Alert: McAfee Uncovers a New Android Campaign Impersonating a Government Solar Program
• Chinese Fraudsters Target India’s UPI: The Rise of Counterfeit Loan Apps
• Raksha Bandhan Scams Surge in India: Phishing, Fake Stores, and Virtual Sibling Cons Target Festival Shoppers
• India’s VPN Crackdown: Popular Apps Vanish from App Stores