Indian Taxpayers Targeted by Fake App Distributed by Phishing Actors

• Taxpayers in India are getting SMS that supposedly come from the Income Tax Department urging them to download a tax-filing app.
• The app is basically malware serving phishing forms that aim to grab a set of sensitive details from the victim.
• By accessing the device’s SMS, the actors can steal 2FA codes for compromising the user's banking account.

As the tax season in India is underway, taxpayers are increasingly targeted by scammers and phishing actors who are looking to exploit the period to steal their sensitive information. In this effort, they have created a new Android malware named ‘Elibomi,’ which serves the victim a fake tax-filing application and then siphons all entered data to the actor-controlled server.

According to McAfee’s Mobile Research team, who discovered this first, the problems start with the arrival of an SMS that pretends to be from the Income Tax Department in India, urging the recipient to download the malware. Upon installation, the app asks for SMS access and use permission, supposedly needed for the verification of the mobile number to the tax agency’s systems. In reality, Elibomi just steals all SMS messages stored in the infected device, along with emails, phone numbers, and any other personal information it can grab.

Cyble researchers have dug deeper into the source code of the malicious app and warn that the app could be updated at any time to use a different theme. Currently, it asks for the user’s net banking credentials, banking details, PAN and mobile number, address, name, date of birth, debit card number, expiry date, and even the CVV.

By having access to the device’s SMS, the crooks may grab 2FA codes relevant to the net banking account, so they can break through MFA protections. This is another example of why SMS isn’t the best two-factor authentication option.

Giving away all of the above info basically opens up a whole set of exploitation potential for the crooks, so if you are worried that you may have been tricked, you have limited time to correct the mistake. Call your card issuer and ask them to invalidate it due to compromise, and then proceed to reset whatever passwords you exposed by voluntarily providing your internet banking credentials.

To uproot Elibomi from your mobile phone, run a trustworthy mobile security tool and perform a full scan on the device’s storage. In the future, avoid tapping URLs that have arrived via SMS, and never trust any app that has been sourced outside the Google Play Store.