Hey everyone! 👋 So, I was researching the latest online scams and came across a really sneaky one. Cybersecurity experts at McAfee recently uncovered a sophisticated Android malware campaign specifically targeting people in India 1. It’s a classic case of scammers using a current, relevant government program to trick people.
Let’s break down how this scam works, why it’s so effective, and most importantly, how you can avoid it.
What’s the Hook? A Free Energy Subsidy
The Indian government launched the PM Surya Ghar: Muft Bijli Yojana scheme to help families install solar panels. It’s a legit and awesome initiative. Scammers, however, saw it as a perfect opportunity.
They created fake promotional videos on YouTube claiming users could get a “government electricity subsidy” or even “300 free units every month” just by downloading a mobile app. The videos included a link, often shortened, to make it seem less suspicious 1.
The Trap: A Multi-Stage Con Operation
This isn’t just a simple fake app; it’s a well-planned, multi-step process designed to gain your trust.
-
The Fake Government Portal: The YouTube link doesn’t go straight to an app. It goes to a professional-looking phishing website hosted on—wait for it—GitHub! The site is designed to look exactly like an official Indian government portal, complete with logos and instructions. This builds credibility 1.
-
The Bait and Switch: On this fake site, there’s a button that looks exactly like the Google Play Store icon. You’d think it would take you to a safe app store, right? Nope. Clicking it downloads a malicious APK file directly from GitHub. By hosting everything on a trusted platform like GitHub, the scammers bypass initial security suspicions 1.
The Deceptive Installation: “Please Disable Your Internet”
This is where it gets really clever. The initially downloaded APK isn’t even the main malware. It’s a “dropper” app.
-
When you open it, it asks you to install a “Security Update.”
-
Crucially, it instructs you to turn off your mobile data or Wi-Fi to install it. Why? Because this prevents real-time, cloud-based antivirus scanners from detecting the malicious payload it’s about to install. A huge red flag! 1.
-
Once installed, you’ll see two apps: one named “PMBY” (the installer) and the real malware named “PMMBY” disguised as a “Secure Update” 1.
What Does the Malware Do? A LOT of Damage.
Once you grant it aggressive permissions (which it asks for immediately), the malware gets to work 1:
-
Steals Your Bank Credentials (UPI PIN): It shows a fake registration form, asking for your phone number and a ₹1 payment to “generate a token.” It then loads a fake UPI payment page to steal your bank details and, most critically, your UPI PIN. With this, attackers can directly drain your account 1.
-
Reads Your SMS Messages: This is how they bypass two-factor authentication (2FA). They can read the OTP codes your bank sends you 1.
-
Spams Your Contacts: The malware accesses your contact list and sends the same phishing SMS to everyone you know, helping the scam spread virally 1.
-
Remote Controlled via Firebase: Attackers use Firebase Cloud Messaging (FCM)—a legitimate Google service for sending app notifications—to send remote commands to the infected phone. This allows them to control the malware long after it’s installed without needing to update the app 13.
This Isn’t an Isolated Incident
My research shows this is part of a bigger trend. Other recent campaigns have mimicked popular Indian banking apps like SBI Card and Axis Bank to steal data and even secretly mine cryptocurrency on victims’ phones 2. Another widespread scam uses fake messages from India Post about a waiting package to steal financial information 7. It seems Indian mobile users are a prime target right now.
How to Protect Yourself: Digital Street Smarts
You don’t need to be a tech expert to stay safe. Just follow these rules:
-
Never Download APKs from Unknown Websites. Only install apps from the official Google Play Store. It’s not perfect, but it’s your best defense.
-
Be Extremely Wary of Apps Asking to Disable Internet. No legitimate security update will ever ask you to go offline to install.
-
Scrutinize App Permissions. If a simple “subsidy” app asks for permission to read your SMS, contacts, or make calls, that’s a massive red flag. Just say no.
-
Don’t Trust YouTube or Social Media Links Blindly. Scammers use these platforms heavily for distribution. Always verify information through official government or company websites.
-
Use a Reputable Mobile Security App. Products like McAfee Mobile Security can detect these malicious apps even when they try to hide, providing a crucial safety net 1.
The Bottom Line
This “energy subsidy” scam is a dangerous reminder of how cybercriminals exploit trust in government programs and reputable platforms like YouTube and GitHub. They use social engineering to trick you into letting them in.
Stay skeptical, double-check sources, and never rush into installing an app, especially when it promises money or deals that seem too good to be true (because they almost always are!).
Hope this was helpful! Stay safe out there.