A new Android malware campaign, dubbed GhostBat RAT is sweeping across India, cleverly disguised as legitimate Regional Transport Office (RTO) apps like mParivahan. This threat steals financial data, mines cryptocurrency, and exfiltrates SMS messages, all while registering infected devices via Telegram bots.
Infection and Stealth Mechanisms
The attackers use social engineering tactics via WhatsApp, SMS, and compromised websites to deliver malicious APK files. These files, often hosted on GitHub and accessed through shortened URLs, install a counterfeit version of the mParivahan app embedded with malware. Over 40 unique malware samples tied to this campaign have been found since September 2025.
What makes this campaign unique is its use of a Telegram bot, GhostBatRat_bot, to manage and register compromised devices. To avoid detection and ensure longevity, the malware uses multi-stage dropper techniques and numerous evasion tactics:
- It manipulates ZIP headers to break APK decompilation.
- It implements anti-emulation checks to terminate execution in virtual environments.
- It heavily obfuscates strings using numerical encoding.
- It executes encrypted payloads using native code via .so libraries, resolving API calls at runtime.
Stealing Credentials and Banking Data
Once installed, the fake RTO app demands extensive permissions, especially for SMS access. It initiates a phishing flow that mimics UPI payment requests, tricking users into entering their UPI PINs on fake interfaces, which are then sent to the attacker's server.
Simultaneously, the app performs background surveillance on SMS content, specifically looking for banking-related keywords. Detected messages and incoming OTPs are harvested and forwarded to the attacker's Command & Control (C2) server. This provides the attackers with both banking credentials and the one-time codes needed to complete fraudulent transactions.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
