{
	"id": "b1384b5d-4a0a-4d10-85ed-1c7e3bc182ce",
	"created_at": "2026-04-06T01:30:23.593506Z",
	"updated_at": "2026-04-10T03:21:43.305453Z",
	"deleted_at": null,
	"sha1_hash": "13ef0348f1fadb61423680ac6afb5c32dff015ee",
	"title": "Cyble - Fake Income Tax Application Targets Indian Taxpayers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1243058,
	"plain_text": "Cyble - Fake Income Tax Application Targets Indian Taxpayers\r\nBy cybleinc\r\nPublished: 2021-09-07 · Archived: 2026-04-06 00:33:36 UTC\r\nCyble's research on a fake app masquerading as an official Income Tax department app and targeting Indian\r\ntaxpayers.\r\nIndian taxpayers are being targeted explicitly via mobile applications, phishing emails, and smishing,\r\nespecially during the pandemic. A variant of a mobile app that impersonates India’s Income Tax Department\r\n(IT) was first identified by the McAfee Threat Intelligence team in September 2021. These apps\r\nconduct phishing activities and collect sensitive information from their victims. The attacker could later sell this\r\ninformation on cybercrime forums. \r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a Twitter post covering the application\r\nthat masquerades as an official Income Tax department app. The app has a similar icon to that of the IT Department\r\nof India and is named iMobile. \r\nCyble Research Labs downloaded the malware samples and performed a detailed analysis. We determined that the\r\nmalware performs phishing activities to steal Personally Identifiable Information (PII) such as date of birth, PAN\r\nnumber, Aadhaar number, bank account details, and debit card details, including expiry date, CVV number, and PIN. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nTechnical Analysis \r\nAPK Metadata Information \r\nApp Name: iMobile \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 1 of 11\n\nPackage Name: direct.uujgiq.imobile \r\nSHA256 Hash: 1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56 \r\nFigure 1 shows the metadata information of the application. \r\nFigure 1: Metadata Information \r\nFigure 2: Application Start Flow \r\nWe have outlined the flow of the application and the various activities it conducts in Figure 2. \r\nThe application has a similar icon as the IT department of India’s official logo. \r\nThe application asks the users to allow it as defaults SMS app. Once it becomes the default app, it can handle\r\nSMS data. \r\nThe application asks users to input credentials like PAN number and registered mobile number. \r\nThe application asks users to input bank account details including debit card information. \r\nThe application also asks for Internet Banking credentials. \r\nUpon simulating the application, it requests that users make it their default SMS app, and then the application\r\nproceeds with its malicious activity. Refer to Figure 3. \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 2 of 11\n\nFigure 3: Asks for Default SMS App Permission \r\nFigure 4 shows the malware pretending to be the official Income Tax app from India’s Income Tax department. We\r\ncan also see that the app is asking for credentials such as PAN number and mobile number. \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 3 of 11\n\nFigure 4 Asks for IT Credentials \r\nThe next page of the application directs users to a portal where they are prompted to enter their bank account and\r\ndebit card details. Refer to Figure 5. \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 4 of 11\n\nFigure 5 Asks for User’s Banking Details \r\nThe application also uses a fake internet banking login page and requests users to enter their credentials, as\r\nshown below. \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 5 of 11\n\nFigure 6 Asks for Netbanking Credentials \r\nManifest Description \r\niMobile requests twenty-six different permissions, of which the attackers could abuse seven. In this\r\ncase, the malware can: \r\nCollect SMS data. \r\nRead the information of device such as usage history and statistics. \r\nReceive and send SMSs.  \r\nWe have listed the dangerous permissions below. \r\nPermissions  Description \r\nREAD_SMS  Access phone’s messages. \r\nBROADCAST_STICKY \r\nAllow the application to communicate with other apps. These\r\nbroadcasts happen without the user’s knowledge. \r\nDISABLE_KEYGUARD  Allows applications to disable the keyguard. \r\nPACKAGE_USAGE_STATS  Provides access to device usage history and statistics. \r\nREAD_PHONE_STATE  Allows access to phone state, including the current cellular\r\nnetwork information, the phone number and the serial number of\r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 6 of 11\n\nthis phone, the status of any ongoing calls, and a list of any\r\nPhone Accounts registered on the device. \r\nRECEIVE_SMS  Allows an application to receive SMS messages. \r\nSEND_SMS  Allows an application to send SMS messages. \r\nTable 1: Permissions’ Description \r\nUpon reviewing the code of the application, the launcher activity of the malicious app was identified, as shown\r\nin Figure 7. \r\nFigure 7 Launching Activity \r\nThe permissions and services defined in the manifest file that were identified have the ability to replace the default\r\nMessages app. This app will then be able to handle sending and receiving SMSs and MMSs. Refer to Figure 8. \r\nFigure 8 Handles SMS and MMS \r\nFigure 9 represents that the malware has defined customized services that\r\nuse the BROADCAST_WAP_PUSH service. Through this service, an application can broadcast a notification that\r\na WAP Push message has been received.  \r\nFigure 9 Using Broadcast WAP Push Permission \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 7 of 11\n\nThreat Actors (TAs) may abuse this service to create could false MMS message receipts or replace the original\r\ncontent with malicious content. Google has instructed that it is not for use by third-party applications. \r\nFigure 10 represents that the malware has defined customized services\r\nthat leverage the permission SEND_RESPOND_VIA_MESSAGE.  This permits the application to send a request\r\nto other messaging apps to handle respond-via-message action during incoming calls.  \r\nFigure 10 Using Send Respond VIA Message \r\nSource Code Description \r\nThe application uses the permission that is defined in Figure 8 to send SMSs. Upon allowing the application to\r\nreplace the default messaging app, it can also read incoming messages. Refer to Figure 11.  \r\nFigure 11 Sending SMS \r\nThe below code shows one of the multiple deobfuscation method used by the malware, which leverages a simple\r\ncipher substitution. All strings are decoded using distinct classes, with each class having a unique table value. Refer\r\nto Figure 12. \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 8 of 11\n\nFigure 12 Deobfuscation Method \r\nDuring our traffic analysis, we observed that the malware is uploading the banking details, including account\r\nnumbers and debit card details such as card number, expiry date, CVV, and PIN to the Command and Control\r\n(C2) server hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php. Refer to Figure 13. \r\nFigure 13 Banking Details Being Uploaded to the Server \r\nFigure 14 demonstrates that the malware is uploading internet banking credentials to the server. \r\nFigure 14 Internet Banking Details Uploaded to the Server \r\nThe below image shows that the malware has hardcoded data, i.e., a mobile number originating from India.  \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 9 of 11\n\nFigure 15 Hardcoded Data \r\nConclusion \r\nThe Threat Actors behind malicious applications constantly adapt and use various sophisticated techniques to avoid\r\ndetection and target users. Such malicious applications masquerade as legitimate applications to trick users\r\ninto installing them. \r\nUsers should only install applications from the official Google Play Store to secure themselves from attacks such\r\nas these. \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:    \r\nDownload and install software only from official app stores like Google Play Store. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nUsers should be careful of the permissions they are enabling. \r\nIf you find this malicious application on your device, uninstall, or delete it immediately.  \r\nUse the shared IOCs to monitor and block the malware infection.  \r\nKeep your anti-virus software updated to detect and remove malicious software.  \r\nKeep your Android device, OS, and applications updated to the latest versions.  \r\nUse strong passwords and enable two-factor authentication.  \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nExecution  T1204.002  User Execution: Malicious File \r\nDefense Evasion  T1418   Application Discovery \r\nCredential Access  T1412  Capture SMS Messages \r\nDiscovery  T1087  Account Discovery \r\nImpact  T1565  Manipulation \r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 10 of 11\n\nIndicators of Compromise (IOCs)   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56  SHA256 \r\nMalicious\r\nAPK \r\nhxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php  URL  C2 \r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and\r\nexposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk\r\nfootprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as\r\none of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with\r\noffices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,\r\nvisit https://cyble.com. \r\nSource: https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nhttps://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/"
	],
	"report_names": [
		"fake-income-tax-application-targets-indian-taxpayers"
	],
	"threat_actors": [],
	"ts_created_at": 1775439023,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13ef0348f1fadb61423680ac6afb5c32dff015ee.pdf",
		"text": "https://archive.orkl.eu/13ef0348f1fadb61423680ac6afb5c32dff015ee.txt",
		"img": "https://archive.orkl.eu/13ef0348f1fadb61423680ac6afb5c32dff015ee.jpg"
	}
}