Phishing Scam Alert: McAfee Uncovers a New Android Campaign Impersonating a Government Solar Program
Do Son 
McAfee Labs has uncovered an active Android phishing campaign targeting users in India, where attackers impersonate a government electricity subsidy program to lure victims into downloading a malicious application. The operation leverages social engineering, fake government websites, and GitHub-hosted malware to steal sensitive financial and personal information.
The campaign exploits the genuine PM Surya Ghar: Muft Bijli Yojana, a solar subsidy scheme launched by the Government of India in February 2024, which offers households significant financial benefits for adopting rooftop solar. Scammers mimic this initiative with fake portals and malicious apps.
According to the report, “Scammers use this subsidy activity to create phishing websites and fake applications, stealing the bank account information of users who want to apply for this subsidy.”
The attack unfolds in multiple stages:
- YouTube Video Lure – Promotional videos promise electricity subsidies and include shortened URLs.
- Phishing Website – The link redirects to a fake government-like portal hosted on GitHub.
- Malicious APK – Users are tricked into downloading an APK from GitHub instead of the Google Play Store, under the guise of an official app.
McAfee researchers found that the downloaded APK itself is only an installer, embedding a second malicious APK that deploys once the first app is launched. Victims are deceived into believing they are installing a “secure update.”
The malicious application, identified as PMMBY, requests excessive permissions, including access to contacts, SMS, call management, and notifications. This enables the malware to not only steal personal data but also spread itself by sending phishing SMS messages from the victim’s contact list.
One of the campaign’s most dangerous aspects is its attempt to steal financial credentials through India’s Unified Payments Interface (UPI) system.
The app presents victims with a fake registration requiring a ₹1 payment to generate a subsidy “token.” The report explains: “In the stage of ‘MAKE PAYMENT of ₹ 1,’ victims are asked to use ‘UPI-Lite’ app to complete the payment. In the ‘UPI-Lite’ activity, victims enter the bank UPI PIN code.”
This UPI credential theft is executed through a fraudulent HTML form, and once entered, the phone number, banking details, and UPI PIN are uploaded to the attacker’s server.
Beyond financial theft, the malware also gives attackers persistent remote access. As McAfee highlights, “The malicious app can be remotely controlled using Firebase… and uses the infected device to send smishing messages to the user’s contact list.”
This enables attackers to issue commands, exfiltrate SMS data (including OTPs and 2FA codes), and propagate further infections across India through SMS phishing campaigns.
McAfee, working with the App Defense Alliance, reported the malicious apps to Google, resulting in the associated Firebase Cloud Messaging (FCM) account being blocked. The GitHub repository hosting the APK and phishing pages was also taken down following McAfee’s report.
Related Posts:
- Chinese Fraudsters Target India’s UPI: The Rise of Counterfeit Loan Apps
- FCC may prevent mobile providers from receiving federal subsidies if they use Huawei & ZTE equipment
- Europol Cracks Down on €6.7M Hearing Aid Fraud Scheme Exploiting French Healthcare
- Raksha Bandhan Scams Surge in India: Phishing, Fake Stores, and Virtual Sibling Cons Target Festival Shoppers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
