India’s cybercrime monitoring agencies have issued a detailed advisory warning of a sharp rise in sophisticated Android malware variants capable of gaining near-total control over infected devices. The threat, described as “Android God Mode,” reflects an evolution in mobile-based cyberattacks, combining social engineering with deep exploitation of system-level permissions.
According to the advisory issued by the National Cybercrime Threat Analytics Unit (NCTAU), these malicious applications are designed to impersonate widely trusted services, including banking platforms such as SBI YONO, government-linked utilities like digital life certificate services, and applications related to traffic enforcement or customer support.
By leveraging this familiarity, attackers are able to persuade users to install seemingly legitimate applications, setting the stage for deeper compromise.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
How the Malware Gains Control
At the core of the threat lies the systematic abuse of Android’s Accessibility Services, a feature originally intended to assist users with disabilities. Once enabled, this permission allows the application to observe on-screen activity, read text inputs, and simulate user interactions.
The advisory outlines a multi-stage attack process. Malicious software is often delivered via phishing links or messaging platforms such as WhatsApp in the form of a dropper application. Disguised as Google Play Services, the dropper installs the actual malware while employing techniques like split DEX files and zero-length base APKs to evade detection.
After installation, the application persistently prompts users to grant accessibility access under the pretext of enabling “essential” features. In some cases, it manipulates settings to become the default device launcher, allowing it to maintain control over the interface and user interactions.
The malware is also designed for persistence, remaining hidden without a visible launcher icon and attempting reinstallation through device backups if removed.
A Full-Spectrum Breach of Device Security
Once active, the malware exploits a wide range of permissions to orchestrate a comprehensive breach of the device. Accessibility Services provide the foundation for control, enabling the malware to read messages, track keystrokes, and execute actions across applications without user awareness.
Additional permissions amplify the threat. Access to SMS functions allows interception of one-time passwords, facilitating unauthorized financial transactions and account takeovers. Call permissions can be used to initiate call forwarding linked to fraud schemes, while overlay permissions enable the malware to obscure legitimate interface elements, rendering security prompts ineffective.
The advisory also notes the exfiltration of contact lists for further phishing campaigns and unauthorized access to the device camera, extending the breach from financial data to personal privacy.
Taken together, these capabilities allow attackers to operate invisibly within the device, effectively replicating and overriding user behavior in real time.
Detection, Removal, and Public Response
Authorities have outlined a series of steps aimed at mitigating the threat and removing infections. Booting the device into Safe Mode is identified as a critical first step, as it disables third-party applications and their overlays, allowing users to uninstall malicious software more effectively.
Additional measures include changing the default launcher to a system application, reviewing device administrator and accessibility permissions, and disabling unauthorized services. Users are also advised to cancel any suspicious call forwarding settings using USSD codes and to verify that no malicious applications reappear after removal.
In cases where the malware persists, a factory data reset may be required to fully restore device integrity. The advisory emphasizes installing applications only from verified sources such as official app stores and encourages users to report incidents through national cybercrime helplines and portals.
The warning reflects growing concern among cybersecurity authorities about the scale and sophistication of mobile-based threats, particularly those that exploit trusted interfaces and system-level permissions to bypass traditional safeguards.
