When an Ahmedabad-based microbiologist received a WhatsApp message offering an easy way to pay a traffic challan via an app, she was initially deceived by its authenticity. The message included her vehicle number, which seemed legitimate. However, she couldn't install the 'Vahan Parivahan' app due to her phone’s security measures and later realized it was not government-authorized. Unfortunately, many victims aren’t as fortunate.
Cybersecurity experts warn that installing such rogue apps can have severe consequences. Once installed, these apps often require users to set them as their default messaging application. If the user refuses to grant access to their contacts, messages, and internet, the malware won’t function.
A recent report by Bengaluru-based CloudSEK revealed that a malicious app named Maorrisbot was installed on 4,451 devices. This app secretly forwards stolen contacts, SMS messages, and device information to a Telegram bot controlled by the attackers. The report indicated that transactions worth ₹16,31,000 have already been carried out using this app.
Once the device is compromised, attackers can intercept OTPs (One-Time Passwords) sent to the victim's phone. These OTPs allow them to access e-commerce and payment apps, check for saved credit or debit card details, and make unauthorized purchases, such as Apple gift cards, which are then converted to cash in the attackers’ accounts.
Delhi-based cybersecurity consultant Nand Kishore explained that these malware-ridden apps offer hackers a continuous connection to the victim’s phone, providing insights into their calls, purchases, and other online activities. This persistent access can also extend to Wi-Fi networks, potentially compromising other devices connected to the same network.
This type of scam is known as the “APK scam” and is a variant of smishing. Smishing, or SMS phishing, involves deceptive text messages designed to trick users into revealing personal information or installing malicious apps. Smishing attacks not only target financial information but also aim to collect large-scale data, which can be exploited by nation-state actors for various purposes.
