Phishing Scam Alert: McAfee Uncovers a New Android Campaign Impersonating a Government Solar Program
Ddos 
McAfee Labs has uncovered an active Android phishing campaign targeting users in India, where attackers impersonate a government electricity subsidy program to lure victims into downloading a malicious application. The operation leverages social engineering, fake government websites, and GitHub-hosted malware to steal sensitive financial and personal information.
The campaign exploits the genuine PM Surya Ghar: Muft Bijli Yojana, a solar subsidy scheme launched by the Government of India in February 2024, which offers households significant financial benefits for adopting rooftop solar. Scammers mimic this initiative with fake portals and malicious apps.
According to the report, βScammers use this subsidy activity to create phishing websites and fake applications, stealing the bank account information of users who want to apply for this subsidy.β
The attack unfolds in multiple stages:
- YouTube Video Lure β Promotional videos promise electricity subsidies and include shortened URLs.
- Phishing Website β The link redirects to a fake government-like portal hosted on GitHub.
- Malicious APK β Users are tricked into downloading an APK from GitHub instead of the Google Play Store, under the guise of an official app.
McAfee researchers found that the downloaded APK itself is only an installer, embedding a second malicious APK that deploys once the first app is launched. Victims are deceived into believing they are installing a βsecure update.β
The malicious application, identified as PMMBY, requests excessive permissions, including access to contacts, SMS, call management, and notifications. This enables the malware to not only steal personal data but also spread itself by sending phishing SMS messages from the victimβs contact list.
One of the campaignβs most dangerous aspects is its attempt to steal financial credentials through Indiaβs Unified Payments Interface (UPI) system.
The app presents victims with a fake registration requiring a βΉ1 payment to generate a subsidy βtoken.β The report explains: βIn the stage of βMAKE PAYMENT of βΉ 1,β victims are asked to use βUPI-Liteβ app to complete the payment. In the βUPI-Liteβ activity, victims enter the bank UPI PIN code.β
This UPI credential theft is executed through a fraudulent HTML form, and once entered, the phone number, banking details, and UPI PIN are uploaded to the attackerβs server.
Beyond financial theft, the malware also gives attackers persistent remote access. As McAfee highlights, βThe malicious app can be remotely controlled using Firebaseβ¦ and uses the infected device to send smishing messages to the userβs contact list.β
This enables attackers to issue commands, exfiltrate SMS data (including OTPs and 2FA codes), and propagate further infections across India through SMS phishing campaigns.
McAfee, working with the App Defense Alliance, reported the malicious apps to Google, resulting in the associated Firebase Cloud Messaging (FCM) account being blocked. The GitHub repository hosting the APK and phishing pages was also taken down following McAfeeβs report.
Related Posts:
- Chinese Fraudsters Target India’s UPI: The Rise of Counterfeit Loan Apps
- FCC may prevent mobile providers from receiving federal subsidies if they use Huawei & ZTE equipment
- Europol Cracks Down on β¬6.7M Hearing Aid Fraud Scheme Exploiting French Healthcare
- Raksha Bandhan Scams Surge in India: Phishing, Fake Stores, and Virtual Sibling Cons Target Festival Shoppers
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
