Cyble - Fake Income Tax Application Targets Indian Taxpayers
By cybleinc
Published: 2021-09-07 · Archived: 2026-04-06 00:33:36 UTC
Cyble's research on a fake app masquerading as an official Income Tax department app and targeting Indian
taxpayers.
Indian taxpayers are being targeted explicitly via mobile applications, phishing emails, and smishing,
especially during the pandemic. A variant of a mobile app that impersonates India’s Income Tax Department
(IT) was first identified by the McAfee Threat Intelligence team in September 2021. These apps
conduct phishing activities and collect sensitive information from their victims. The attacker could later sell this
information on cybercrime forums. 
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter post covering the application
that masquerades as an official Income Tax department app. The app has a similar icon to that of the IT Department
of India and is named iMobile. 
Cyble Research Labs downloaded the malware samples and performed a detailed analysis. We determined that the
malware performs phishing activities to steal Personally Identifiable Information (PII) such as date of birth, PAN
number, Aadhaar number, bank account details, and debit card details, including expiry date, CVV number, and PIN. 
See Cyble in Action
World's Best AI-Native Threat Intelligence
Technical Analysis 
APK Metadata Information 
App Name: iMobile 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 1 of 11

Package Name: direct.uujgiq.imobile 
SHA256 Hash: 1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56 
Figure 1 shows the metadata information of the application. 
Figure 1: Metadata Information 
Figure 2: Application Start Flow 
We have outlined the flow of the application and the various activities it conducts in Figure 2. 
The application has a similar icon as the IT department of India’s official logo. 
The application asks the users to allow it as defaults SMS app. Once it becomes the default app, it can handle
SMS data. 
The application asks users to input credentials like PAN number and registered mobile number. 
The application asks users to input bank account details including debit card information. 
The application also asks for Internet Banking credentials. 
Upon simulating the application, it requests that users make it their default SMS app, and then the application
proceeds with its malicious activity. Refer to Figure 3. 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 2 of 11

Figure 3: Asks for Default SMS App Permission 
Figure 4 shows the malware pretending to be the official Income Tax app from India’s Income Tax department. We
can also see that the app is asking for credentials such as PAN number and mobile number. 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 3 of 11

Figure 4 Asks for IT Credentials 
The next page of the application directs users to a portal where they are prompted to enter their bank account and
debit card details. Refer to Figure 5. 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 4 of 11

Figure 5 Asks for User’s Banking Details 
The application also uses a fake internet banking login page and requests users to enter their credentials, as
shown below. 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 5 of 11

Figure 6 Asks for Netbanking Credentials 
Manifest Description 
iMobile requests twenty-six different permissions, of which the attackers could abuse seven. In this
case, the malware can: 
Collect SMS data. 
Read the information of device such as usage history and statistics. 
Receive and send SMSs.  
We have listed the dangerous permissions below. 
Permissions  Description 
READ_SMS  Access phone’s messages. 
BROADCAST_STICKY 
Allow the application to communicate with other apps. These
broadcasts happen without the user’s knowledge. 
DISABLE_KEYGUARD  Allows applications to disable the keyguard. 
PACKAGE_USAGE_STATS  Provides access to device usage history and statistics. 
READ_PHONE_STATE  Allows access to phone state, including the current cellular
network information, the phone number and the serial number of
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 6 of 11

this phone, the status of any ongoing calls, and a list of any
Phone Accounts registered on the device. 
RECEIVE_SMS  Allows an application to receive SMS messages. 
SEND_SMS  Allows an application to send SMS messages. 
Table 1: Permissions’ Description 
Upon reviewing the code of the application, the launcher activity of the malicious app was identified, as shown
in Figure 7. 
Figure 7 Launching Activity 
The permissions and services defined in the manifest file that were identified have the ability to replace the default
Messages app. This app will then be able to handle sending and receiving SMSs and MMSs. Refer to Figure 8. 
Figure 8 Handles SMS and MMS 
Figure 9 represents that the malware has defined customized services that
use the BROADCAST_WAP_PUSH service. Through this service, an application can broadcast a notification that
a WAP Push message has been received.  
Figure 9 Using Broadcast WAP Push Permission 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 7 of 11

Threat Actors (TAs) may abuse this service to create could false MMS message receipts or replace the original
content with malicious content. Google has instructed that it is not for use by third-party applications. 
Figure 10 represents that the malware has defined customized services
that leverage the permission SEND_RESPOND_VIA_MESSAGE.  This permits the application to send a request
to other messaging apps to handle respond-via-message action during incoming calls.  
Figure 10 Using Send Respond VIA Message 
Source Code Description 
The application uses the permission that is defined in Figure 8 to send SMSs. Upon allowing the application to
replace the default messaging app, it can also read incoming messages. Refer to Figure 11.  
Figure 11 Sending SMS 
The below code shows one of the multiple deobfuscation method used by the malware, which leverages a simple
cipher substitution. All strings are decoded using distinct classes, with each class having a unique table value. Refer
to Figure 12. 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 8 of 11

Figure 12 Deobfuscation Method 
During our traffic analysis, we observed that the malware is uploading the banking details, including account
numbers and debit card details such as card number, expiry date, CVV, and PIN to the Command and Control
(C2) server hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php. Refer to Figure 13. 
Figure 13 Banking Details Being Uploaded to the Server 
Figure 14 demonstrates that the malware is uploading internet banking credentials to the server. 
Figure 14 Internet Banking Details Uploaded to the Server 
The below image shows that the malware has hardcoded data, i.e., a mobile number originating from India.  
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 9 of 11

Figure 15 Hardcoded Data 
Conclusion 
The Threat Actors behind malicious applications constantly adapt and use various sophisticated techniques to avoid
detection and target users. Such malicious applications masquerade as legitimate applications to trick users
into installing them. 
Users should only install applications from the official Google Play Store to secure themselves from attacks such
as these. 
Our Recommendations 
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We
recommend that our readers follow the best practices given below:    
Download and install software only from official app stores like Google Play Store. 
Ensure that Google Play Protect is enabled on Android devices. 
Users should be careful of the permissions they are enabling. 
If you find this malicious application on your device, uninstall, or delete it immediately.  
Use the shared IOCs to monitor and block the malware infection.  
Keep your anti-virus software updated to detect and remove malicious software.  
Keep your Android device, OS, and applications updated to the latest versions.  
Use strong passwords and enable two-factor authentication.  
MITRE ATT&CK® Techniques 
Tactic  Technique ID  Technique Name 
Execution  T1204.002  User Execution: Malicious File 
Defense Evasion  T1418   Application Discovery 
Credential Access  T1412  Capture SMS Messages 
Discovery  T1087  Account Discovery 
Impact  T1565  Manipulation 
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 10 of 11

Indicators of Compromise (IOCs)   
Indicators 
Indicator
type 
Description 
1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56  SHA256 
Malicious
APK 
hxxp://jsig.quicksytes[.]com/MC/NN180521/mc.php  URL  C2 
About Us 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and
exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk
footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as
one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with
offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble,
visit https://cyble.com. 
Source: https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
Page 11 of 11