Android Malware Promises Energy Subsidy to Steal Financial Data

    Tuesday, August 19, 2025 In: Threat Research Print

    Date: 08/19/2025

    Severity: Medium

    Summary

    A recent Android phishing campaign targeting Indian users disguises itself as a government electricity subsidy service. The attackers use social engineering tactics, including YouTube videos, fake government-like websites, and a GitHub-hosted malicious APK, to trick users into installing malware. Once installed, the app steals financial data, intercepts text messages, sends smishing messages to contacts, and allows remote control via Firebase. The malware and its hosting repositories have since been reported and taken down. This campaign poses a serious threat to user privacy and financial security.

    Indicators of Compromise (IOC) List

    URL/Domain

    https://www.youtube.com/watch?v=LhXyNV1-YEE

    https://rebrand.ly/PMMBY

    https://rebrand.ly/dclinkto2

    https://pmmbe.github.io/Dow/register.html

    https://github.com/Pmmbe/Dow

    https://sqcepo.replit.app

    Hash

    d19ad551d4737d201c327a1223d6829b07d7de8f14d96c96bc7232c9a13042fc

305f909deddf11458b8c87971925dad9192ebe62c25307ce97b8ee307f4ada5d

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "https://rebrand.ly/PMMBY" or siteurl like "https://rebrand.ly/PMMBY" or url like "https://rebrand.ly/PMMBY" or domainname like "https://rebrand.ly/dclinkto2" or siteurl like "https://rebrand.ly/dclinkto2" or url like "https://rebrand.ly/dclinkto2" or domainname like "https://sqcepo.replit.app" or siteurl like "https://sqcepo.replit.app" or url like "https://sqcepo.replit.app" or domainname like "https://www.youtube.com/watch?v=LhXyNV1-YEE" or siteurl like "https://www.youtube.com/watch?v=LhXyNV1-YEE" or url like "https://www.youtube.com/watch?v=LhXyNV1-YEE" or domainname like "https://pmmbe.github.io/Dow/register.html" or siteurl like "https://pmmbe.github.io/Dow/register.html" or url like "https://pmmbe.github.io/Dow/register.html" or domainname like "https://github.com/Pmmbe/Dow" or siteurl like "https://github.com/Pmmbe/Dow" or url like "https://github.com/Pmmbe/Dow"

    Detection Query 2 : 

    sha256hash IN ("d19ad551d4737d201c327a1223d6829b07d7de8f14d96c96bc7232c9a13042fc","305f909deddf11458b8c87971925dad9192ebe62c25307ce97b8ee307f4ada5d")

    Reference:

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-promises-energy-subsidy-to-steal-financial-data/                     


    Tags

    MalwareMalwareAndroid MalwarePhishingSocial EngineeringEnergyGovernment Services and Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.