Beware Of Malware 'Android God Mode': Indian Cyber Crime Coordination Centre

New Delhi: The Indian Cyber Crime Coordination Centre (I4C), under the Union Ministry of Home Affairs (MHA), has issued an advisory to citizens about a new Android malware, which misuses accessibility permissions to gain unauthorised control over devices.

“By coercing users into granting elevated Android permissions, these threats achieve near-total control over the device, enabling real-time theft of sensitive financial and personal information,” the advisory states.

The I4C issued the directive after the National Cybercrime Threat Analytics Unit (NCTAU) observed a sharp rise in highly sophisticated Android malware variants, now classified as the “Android God Mode” threat.

The NCTAU has found that these malicious apps impersonate banking, government and utility services like SBI YONO, Jeevan Pramaan Patra (Digital Life Certificate), RTO challans and other customer support applications, and trick users into installing them.

“These apps misuse accessibility permissions to gain near total control over a device without the user’s knowledge,” the I4C has highlighted.

At the core of this activity is the systematic abuse of Android’s accessibility services, which are being exploited at scale to compromise Android users, it said.

Modus Operandi

According to the I4C investigation, the malicious Android (.apk) file is initially delivered via phishing links or through WhatsApp, as a dropper application. The dropper app, which deceptively masquerades as Google Play Services, subsequently installs the actual malware on the device. It utilises advanced evasion tactics, including zero-length base APKs and split DEX files, to bypass standard security detections.

Upon installation, the application persistently prompts the user to enable accessibility services, often redirecting the user to the device’s accessibility settings, under the pretext of being required for the app’s “essential” functionality.

The application also manipulates user consent to set itself as the default launcher, thereby gaining further control over the device.

“These malwares features anti-hibernation exemptions (no launcher icon) to remain hidden and resident. They are designed to attempt reinstallation from device backups, if uninstallation is detected,” the I4C stated.

Permissions Abused

Once enabled, these apps grant the malware full visibility and control over on-screen UI elements, allowing it to read text from other apps, observe what the user taps or types, and simulate user actions (clicks, scrolls, text entry).

“Once enabled, it can auto approve permission dialogs (activating READ_SMS, SEND_SMS, CALL_PHONE, SYSTEM_ALERT_WINDOW, CAMERA READ_CONTACTS, etc), drive the UI of banking and social media apps to perform fraudulent actions, and block or bypass any attempt by the victim to revoke permissions or uninstall the app,” the advisory highlighted.

Comprehensive Removal of Malware

The advisory suggested that app installations are done only through verified sources, to prefer Google Play Store or other official platforms. It said that safe mode option disables third-party apps and their malicious overlays, making it the most effective way to bypass accessibility-based blocks.

The advisory has also suggested to report any fraudulent applications or any scam incident immediately on the toll-free number 1930, or www.cybercrime.gov.in.

I4C acts as a nodal point for reporting, threat analytics, and capacity building to report cyber fraud. Aiming to strengthen the fight against cyber fraud, it has adopted two initiatives, namely Cyber Fraud Mitigation Centre (CFMC) and Citizen Financial Cyber Fraud Reporting and Management System’ (CFCFRMS).

Under CFMC, representatives of major banks, financial intermediaries, payment aggregators, telecom service providers, IT intermediaries and representatives of the law enforcement agencies of states and UTs, are working together for immediate action and seamless cooperation to tackle cybercrime.

The CFCFRMS, on the other hand, was launched for immediate reporting of financial frauds, and to stop siphoning off funds by fraudsters.

Till January 31 this year, an amount of over Rs 8,690 crore has been saved in more than 24.65 lakh complaints, according to government data.