Scammers are reportedly sending fake eChallan messages over WhatsApp impersonating the Parivahan Sewa or Karnataka Police.
WhatsApp fake e-Challan scams have reportedly led to fraudulent transactions exceeding Rs. 16 lakh
Photo Credit: Reuters
WhatsApp e-Challan scams are targeting users India using Maorrisbot, a new form of technical malware, according to a cybersecurity firm. This is a relatively new type of scam that is reportedly backed by a large, organised effort. So far, the malware is said to be affecting only Android devices, and no impact has been seen on iOS or other Apple devices. The scam begins like a typical phishing scam, but once the malware is deployed on the victim's device, it acts as a trojan.
A new CloudSEK report details how the new malware dubbed Maorrisbot is used by hackers based in Vietnam. The firm states that a highly technical Android malware campaign is currently being uses to target users in India through fake traffic e-Challan messages disseminated via WhatsApp.
At the onset, the scammers impersonate the Parivahan Sewa or Karnataka Police and send messages to people asking them to pay their challan (traffic violation fine). These messages contain details of a fake e-Challan notice and a URL or an attached APK file.
The scammers trick the victim into clicking the link to pay the fine, and once that is done, the Maorrisbot is gets downloaded on the device. However, the report states that it is disguised as a legitimate application, which could mislead unwary users.
The fraudulent message sent to victims by the hackers
Photo Credit: CloudSEK
After being installed, the malware begins requesting multiple permissions such as access to contacts, phone calls, SMS, and even to become the default messaging app. If the user allows these permissions, the malware begins intercepting OTPs and other sensitive messages. It can also use the data to log in to the victim's e-commerce accounts, purchase gift cards, and redeem them without leaving a trace.
The cybersecurity firm also found that the scammers use proxy IP and maintain a low transaction profile to avoid detection. The researchers believe the attackers are Vietnamese based on conversations and IP location — the purported hacker's IP address was traced to Bắc Giang Province in Vietnam.
CloudSEK claims that 4,451 devices are known to be compromised after installing the malware. The hackers have reportedly used 271 unique gift cards to steal more than Rs. 16 lakh from victims. Gujarat and Karnataka have been identified as the most affected region.
The security firm recommends Android users use well-known antivirus and anti-malware software, limit app permissions and regularly review them, and install apps only from trusted sources. Further, the firm also highlights monitoring suspicious SMS activity, regularly updating the device, and enabling alerts for banking and sensitive services.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.