Your phone buzzes. A message arrives: "Your vehicle challan has been generated. Download the receipt from the link below." It looks official. It mentions your vehicle number. It carries the familiar language of a government communication. You tap the link, download the file, install it — and, in doing so, hand a cybercriminal the keys to your bank account.
This is not a hypothetical. The Indian Computer Emergency Response Team (CERT-In), the government's nodal cybersecurity agency, has issued an alert about a sophisticated and active malware campaign targeting Android users across India. The campaign impersonates the regional transport office (RTO) and government e-challan notifications to trick people into installing a malicious Android application — and it is working because it exploits a fundamental anxiety: the fear most vehicle owners feel when they think they have an unpaid traffic fine.
The Trap Is Cleverly Laid
The attack begins innocuously enough. A message arrives—via WhatsApp, SMS, or Telegram—warning you of a pending challan or bill. The message includes either an APK file directly or a link to download one. The file typically carries a reassuringly official-sounding name: ‘RTO Challan.apk’, ‘RTO E Challan.apk’ or ‘MParivahan.apk’ and ‘Gas Bill Update.apk’.
When you install it, the app appears in your phone's app drawer looking exactly like a legitimate government application. Nothing seems wrong. Then it prompts you to tap 'Install Update' — and this is where the real trap springs shut.
That second installation is the actual malware. It follows the same e-challan or cooking gas provider’s theme to maintain appearances, but it does not appear in your phone's application list. It is invisible. And it has been designed to stay that way while quietly doing its work in the background.
What the Malware Does Once Inside
The malware requests a series of permissions that, individually, might seem reasonable for a government app — but together constitute a complete takeover of your device.
It asks for access to your SMS messages. It asks permission to monitor your phone calls. It requests the ability to run in the background at all times. And then it asks for something particularly alarming: permission to create a virtual private network (VPN) connection on your device.
That last permission is the masterstroke. Once granted, the attacker can monitor all internet traffic passing through your phone — every website you visit, every transaction you initiate, every credential you enter. Combined with access to your SMS messages, this means that when your bank sends you an OTP to authorise a transaction, the malware reads it instantly and forwards it to the attacker's server — before you have even finished typing your password.
The final piece of the deception is a fake screen overlaid on top of legitimate banking or payment apps. You think you are logging into your bank or UPI application. You are actually entering your credentials directly into a form controlled by the attacker. By the time the transaction appears on your bank statement, the money is gone.
The Pretext Changes, The Method Does Not
E-challan impersonation is only one variant of a class of attacks that has been steadily escalating across India. Cybercriminals rotate their pretexts with disturbing sophistication, choosing whichever government service is most likely to provoke an anxious, unthinking response.
The ongoing LPG supply crisis has already become the latest such pretext. Fraudsters are sending fake SMS and WhatsApp messages claiming that your LPG booking requires urgent renewal or that your KYC must be updated immediately to continue receiving gas cylinders during the shortage. The links in these messages lead to fake booking portals or payment pages designed to harvest your bank details, UPI credentials and OTPs.
Some messages include fake customer care numbers — call them and you will find a convincing impersonator ready to walk you through handing over your account details. Do not click any links or download any files, such as ‘Gas Bill Update.apk’, for booking, KYC, or updating your bill payment that arrives via SMS or WhatsApp. Use only the official apps and portals of your oil marketing company. Never share your OTP or bank details with anyone claiming to be from the gas company by phone or message.
Beyond LPG and piped natural gas (PNG), electricity bill disconnection notices have been used to trick people into calling fake customer care numbers and installing remote access tools. KYC expiry warnings impersonating banks and telecom operators have been used to harvest Aadhaar numbers, account details and OTPs. Courier delivery failure notifications have prompted victims to install tracking apps that turned out to be spyware.
TRAI (telecom regulatory authority of India) notices threatening to disconnect phone numbers have pressured people into sharing their mobile credentials. Fake income-tax refund alerts have lured victims onto phishing websites where they entered their net banking passwords. Even job offer messages and parcel customs duty notifications from fake courier companies have been used to push malicious APKs onto unsuspecting phones.
The common thread running through all of them is urgency and authority. The message always implies that something bad will happen to you—your challan will escalate, your power will be cut, your SIM will be blocked, your gas booking will lapse, your refund will expire—unless you act immediately. That sense of urgency is engineered to override your caution. And it works, repeatedly, on educated and digitally literate people, not just those unfamiliar with technology.
Why Android Users Are Particularly Vulnerable
Unlike a restricted environment (depending on the region),
the policies adopted by Apple's iOS, Android allow all users to install applications from outside the official Google Play Store — a feature known as sideloading. This is by design, offering flexibility, but it also creates the attack surface that these campaigns exploit. The malicious APKs in this campaign are never distributed through the Play Store; they arrive through messaging apps and links precisely because they would be blocked if submitted for official review.
Many Android users do not realise that the ‘Install from unknown sources’ setting, which must be enabled to install an APK from outside the Play Store, is a significant security risk. Cybercriminals rely on users either having this setting already enabled or being willing to enable it when prompted by what appears to be an official government notification.
What You Must Do Right Now
If you have not yet encountered one of these messages, you almost certainly will. Here is what you must do.
• Never install an APK file received via WhatsApp, SMS, Telegram, or any link sent to you unsolicited. Government applications are available only on the official Google Play Store or the Apple App Store. The real MParivahan app, the real Parivahan Sewa app, and all legitimate state traffic police applications are available there. No government department will ever send you an APK file through a messaging service.
• Verify any challan notice independently by visiting the official portal at echallan.parivahan.gov.in directly — type it into your browser manually rather than clicking any link. If a challan exists, it will appear there. If it does not, the message was a fraud.
• For LPG-related messages, use only the official apps and portals of Indian Oil, Bharat Petroleum, Hindustan Petroleum, to book cylinders or update KYC. For any queries or issues like billing from Mahanagar Gas or Indraprastha Gas, use their official app. The official toll-free numbers are publicly listed on these companies' websites. If a message asks you to click a link, call a number not listed on the official website, or share an OTP to complete a booking or KYC update, it is a scam. Disconnect immediately.
• Keep ‘Install from unknown sources’ disabled on your Android device at all times. There is rarely a legitimate reason for an ordinary user to enable this setting. On Android devices, you can also enable the Google Play Protect setting (Open Google Play app, touch your name or photo on the top right corner, go to ‘Play Protect’, tap settings icon on top right-hand corner, enable ‘scan apps with Play Protect’. For Samsung devices, you can go to Settings and enable ‘Auto Blocker’ under security and privacy.
• Be deeply suspicious of any app that requests access to your SMS messages, phone calls, contacts, microphone, or the ability to create a VPN connection, unless you understand precisely why it needs these permissions and have verified the app is legitimate.
• Never enable Accessibility Services for any app you have not thoroughly verified. This permission allows an app to observe and interact with everything on your screen — it is among the most dangerous permissions an Android app can request.
If you receive a suspicious message, delete it immediately, block the sender, and do not forward it to family or friends, even as a warning. Forwarding the message spreads the APK file or the malicious link further.
If You Have Already Installed the Malware
If you have already installed a suspicious APK, act immediately. Disconnect your phone from mobile data and Wi-Fi to cut off the malware's communication with the attacker's server. Go to Settings, then Applications, and uninstall the e-challan app and any other application you do not recognise. Run a scan with a trusted mobile antivirus application.
Most important: change your UPI PIN, your net banking password and any other financial credentials that may have been compromised. Check your bank and UPI statements carefully for any transactions you did not authorise. If you find any, report them to your bank immediately.
The Deeper Problem
CERT-In's advisory is a reminder that the sophistication of these attacks has outpaced public awareness of them. These campaigns are not the work of individual bad actors. They are organised operations with clearly defined technical workflows — a dropper stage to establish presence, a payload stage to deploy the actual malware, a permissions harvesting stage, a credential-stealing stage, and a monetisation stage. Each step is designed with care.
What makes the current moment particularly dangerous is that fraudsters are exploiting a real, widely discussed national crisis—the LPG supply shortage—to give their fake messages an air of plausibility. When people are already anxious about whether their next gas cylinder will arrive, a message warning them to urgently complete their LPG KYC does not seem implausible. That is precisely the calculation cybercriminals are making.
The government's official channels—CERT-In, the National Cyber Crime Reporting Portal (cybercrime.gov.in), and the National Cyber Crime Helpline (1930)—exist precisely to receive reports of such incidents and build a clearer picture of how these campaigns operate. If you receive a suspicious message of this kind, report it. It takes two minutes and may protect someone else from losing their savings.
The e-challan you never committed is bait. The LPG KYC or bill update you urgently need is bait. The app or link that arrives with it is a trap. And the only safe response is to close the message and go directly to the official portal yourself.
Stay Alert, Stay Safe!
How To Report Cyber Fraud?
Do report cyber crimes to the NCCRP http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
If the fraud involves your bank account, you need to immediately email the official email address of your branch (available on the bank's website or in your passbook), with a copy to the bank's customer care. Even if you have called the official customer care number, you must still send an email describing your conversation with the bank executive, including the time, date and duration of the call. This will be helpful if you face a liability issue with the bank.
Report Suspects
You can quickly report attempts made to commit cybercrime using suspicious website URLs, WhatsApp numbers, Telegram handles, phone numbers, email IDs, SMS headers or mobile numbers and social media URLs to
NCRRP. This information is used to build up a repository for the analysis and monitoring of cybercrime.
