NexusRoute
NexusRoute is a newly discovered Android remote access trojan (RAT) and malware campaign targeting Indian users. It is distributed through phishing portals and fake applications that impersonate Indian government services, particularly mParivahan and e-Challan, with malicious APKs hosted via GitHub, including hundreds of fake repositories. The malware is used for credential theft, UPI fraud, financial theft, and device surveillance.
High-confidence reported capabilities include theft of mobile numbers, vehicle data, login credentials, bank account details, card details, UPI PINs, and SMS one-time passwords. It also supports broader surveillance and remote access functions, including GPS tracking, microphone activation, and remote screen capture. The malware requests high-risk Android permissions such as SMS access, accessibility services, overlay permissions, and full file access.
Technically, the initial APK acts as a dropper. It loads a native library named "npdcc" via JNI and uses DexClassLoader to dynamically load additional malicious packages from external storage. For persistence and evasion, it abuses BroadcastReceiver, foreground services, and OEM-specific auto-start mechanisms. It also uses fake security notifications resembling Google Play updates to trick victims into granting permissions; once accessibility access is granted, it can auto-approve remaining permissions. A fake uninstall flow reportedly removes only the dropper while leaving the main payload active and hidden.
Exfiltrated data is sent to command-and-control infrastructure via Socket.IO. The campaign has been linked to a broader underground or commercial Android obfuscation and surveillance ecosystem, including reporting that associates it with the email gymkhana.studio@gmail[.]com and developer communities focused on Android obfuscation and app modification. Reporting describes the infrastructure as professionally maintained and indicative of a large-scale, organized fraud and surveillance operation. NexusRoute has been analyzed by CYFIRMA and referenced alongside other active Android malware families observed in the wild.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of 17 Android malware families detected in the wild over four months.
Fully obfuscated Android RAT distributed via phishing portals impersonating government services. Steals mobile numbers, UPI PINs, OTPs, card details, and harvests data via accessibility abuse. Part of a large-scale fraud and surveillance infrastructure.
Tags:Android Frogblight malware NexusRoute Wonderland
Android remote access trojan (RAT) that impersonates Indian E-Challan services, distributed via GitHub, used for UPI fraud and surveillance.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.