Security researchers at K7 Computing have uncovered a malicious Android campaign that leverages the name of a popular Indian government scheme, “PM KISAN YOJNA,” to infect victims with stealer malware. Disguised as an official app, the malware employs a multi-stage dropper technique, advanced evasion tactics, and a sophisticated social engineering ploy to harvest personal and financial information from unsuspecting users.
The malware masquerades as a legitimate application linked to the “PM-Kisan Samman Nidhi” scheme but is in fact a dropper that installs a second-stage payload called decrypted_app.apk. Once installed, this secondary app “collects personal information like Name, Mobile Number, Aadhaar Card, PAN Card, and Date of Birth,” as detailed in the K7 report.
This isn’t your typical Android malware. K7’s analysts noted that “the malware author intentionally crafted these dropper payloads to bypass static analysis,” making tools like Apktool and Jadx ineffective for decompilation. To further frustrate researchers, the app performs:
- Emulator checks
- Frida detection
- Root access detection
These measures are specifically designed to avoid analysis in sandbox environments.
Once the app is launched, users are prompted to “install an update”—a move that grants the malicious app VPN permissions. According to the report, this allows the malware to “take control of network traffic on the device for data exfiltration/malicious purpose.” The app also requests to install applications from unknown sources, enabling the silent installation of its stealer payload.
After the fake update, the malicious app creates a duplicate of the official PM-Kisan app but hides its icon from the app drawer. As the report states: “Checking Settings > Apps will reveal that two applications having the same name are now present on the device.”
The final payload requests highly sensitive permissions, including VIEW_SMS and SEND_SMS, and transmits stolen messages to a command-and-control (C2) server. Fortunately, “during this analysis, the C2 server was down,” according to the researchers.
A new variant of the malware dubbed “Salvador” is also on the rise. This suggests an ongoing campaign, where threat actors are “consistently refining their methods to appear legitimate, evade detection, and maximize data theft.”
