New Variant of ‘NextGen mParivahan’ Malware Escalates Android Privacy Risks

The NextGen mParivahan malware is a sophisticated Android-based cyber threat that has resurfaced with enhanced capabilities, designed to steal sensitive data from users. This malware, disguised as a legitimate government application, NextGen mParivahan, tricks Android users into installing it by exploiting their trust in official services. It targets Indian users by leveraging fake traffic violation notifications, which appear to be sent from the Ministry of Road Transport & Highways. Once installed, the malware gains extensive permissions, hides its icon, and covertly steals user data, including SMS messages and notifications from various apps, increasing its stealth and data theft potential.

Severity Level: High

Threat Details:

• Distribution Mechanism: The malware continues to use fake traffic violation alerts that seem official, urging users to download a malicious app disguised as the official “NextGen mParivahan” app. The official app provides access to digital driving licenses, vehicle registration certificates, and other government services, which makes it a prime target for malicious actors.
• Permissions and Behavior: After installation, the malware requests extensive permissions such as access to SMS, call logs, and notifications. It then hides its app icon, making it difficult for the user to identify or uninstall the malicious software.
• Data Theft: The malware primarily steals SMS messages and notification data from popular apps like WhatsApp, Facebook, Amazon, and Gmail. This could include sensitive user information, login credentials, and financial details.
• Exfiltration: Once the data is captured, it is sent to a Telegram bot or stored on Firebase for remote access by the attackers. This makes it difficult to trace the origin of the data theft in real-time.
• Stealth Techniques: The malware uses advanced tactics like malformed APK files and multi-stage dropper-payload architectures to evade traditional detection tools. The Command and Control (C2) server information is concealed within a compiled .so file, which is dynamically generated during runtime, further complicating security efforts.
• Targeted Applications: The malware also targets notifications from key apps such as social media platforms (WhatsApp, Facebook), messaging apps (Gmail, Telegram), and e-commerce apps (Amazon, Zomato), posing a significant risk to privacy.

Recommendations:

1. Ensure that all apps, including the NextGen mParivahan app or any other government-related apps, are downloaded exclusively from official app stores like Google Play Store.
2. Be vigilant about the permissions requested by apps, especially those requesting sensitive data like SMS, Call Logs, Notification Access, and Location.
3. Enable 2FA for important apps and services such as banking, social media, and email accounts.
4. Ensure that your Android device and all installed apps are regularly updated to the latest versions, as these updates often include security patches that protect against newly discovered vulnerabilities.
5. Do not click on links received via SMS, emails, or social media, especially if they seem suspicious or claim to be from official sources like government services.
6. Verify any traffic violation notices or government communications through the official Ministry of Road Transport & Highways channels or websites.
7. Watch for unusual behavior on your Android device, such as the disappearance of app icons, unexplained battery drain, or unexpected pop-ups requesting permissions.
8. Use security apps that allow you to monitor app activity, particularly those that track which apps access sensitive data like SMS or notifications.
9. For organizations, deploy a Mobile Device Management (MDM) solution to enforce app installation policies, restrict permissions, and monitor device health and compliance with security standards.
10. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/85c2d49814d8fa32f33a145866f39e3159ad204a6fd0f5ed37ec3c70b52c387f/iocs

Source:

• https://www.seqrite.com/blog/beware-fake-nextgen-mparivahan-malware-returns-with-enhanced-stealth-and-data-theft/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.