Ddos 
Phishing activity implemented by the malware to steal UPI PIN | Image: CRIL
A new report from Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated Android malware campaign targeting Indian users by impersonating official Regional Transport Office (RTO) applications. The malware, dubbed GhostBat RAT, uses phishing, Telegram bots, and cryptocurrency mining modules to exfiltrate victims’ financial data.
According to the report, the malware spreads through WhatsApp messages and SMS containing shortened URLs that lead to GitHub-hosted APKs or compromised websites. Once installed, it tricks users into granting permissions through fake update prompts and phishing pages designed to mimic legitimate government apps like mParivahan.
CRIL explained that:
“The malware spreads mainly through WhatsApp messages and SMS containing shortened URLs that appear as the RTO app, mParivahan, which redirect to GitHub-hosted APKs, and via compromised websites.”
The campaign’s infection vectors highlight the increasing trend of socially engineered mobile attacks blending social messaging channels with hosted payloads.
Researchers identified over 40 distinct Android malware samples between September 2025 and the present. Each employs multi-stage droppers, ZIP header manipulation, and heavy string obfuscation to evade detection.
“The campaign was observed using native libraries (.so) to dynamically resolve API calls and deploy payloads, including banking credential stealers and cryptocurrency miners.”
Once executed, the malware performs anti-emulation checks and decrypts encrypted payloads in multiple stages using XOR and AES algorithms. The final stage installs a malicious version of the mParivahan app that requests SMS permissions and launches phishing pages to collect victims’ mobile numbers, vehicle details, and UPI credentials.
One of the most notable aspects of the campaign is its integration with Telegram. CRIL observed that every infected device is automatically registered with a Telegram bot named GhostBatRat_bot, enabling the attackers to monitor victims in real time.
This bot connection suggests a command-and-control (C2) infrastructure hosted directly on encrypted messaging platforms, a tactic increasingly favored by Android threat actors for resilience and anonymity.
After installation, the fake RTO app displays a phishing page asking users to pay ₹1 to verify vehicle ownership. If the victim clicks “Pay now,” the malware presents a counterfeit UPI payment interface, followed by a fake PIN entry page.
“This phishing flow tricks the victim into submitting their PIN, which the malware forwards to a Firebase endpoint,” CRIL explained.
The malware also exfiltrates SMS messages containing bank-related keywords and forwards one-time passwords (OTPs) to the attacker, facilitating unauthorized financial transactions.
GhostBat RAT’s modular architecture reflects the evolution of Android malware toward multi-layered payloads and native code integration. CRIL noted that the use of custom packers, runtime API resolution, and encrypted DEX loaders allows the malware to bypass common antivirus and sandbox systems.
“The implementation of multi-layered dropper mechanisms, combined with string obfuscation, significantly enhanced the malware’s ability to evade detection,” the report added.
Users are urged to avoid downloading APKs from unofficial links, verify app authenticity through Google Play, and keep mobile security tools updated.
Related Posts:
- Malicious npm Packages Backdoor Telegram Bot Developers
- LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
- Following Russian, Iran also issued a signal to ban Telegram
- New Android Banking Trojan Targets Indian Users Through Fake Apps
- India’s VPN Crackdown: Popular Apps Vanish from App Stores
Donate