RTO Challan Scam: How a Fake Traffic Ticket and a Malicious VPN Can Drain Your Bank Account
Ddos 
A sophisticated new mobile fraud operation is targeting millions of Indian smartphone users, turning the anxiety of a traffic ticket into a gateway for identity theft and financial ruin. A new investigation by CYFIRMA’s research team has uncovered a meticulously engineered campaign distributing a malicious “RTO Challan” application via WhatsApp, designed to hijack devices and steal everything from banking credentials to biometric data.
The attack begins with a message that many drivers dread: a traffic violation alert. Scammers are blasting WhatsApp messages that appear to be from official transport authorities, complete with fabricated challan numbers, violation dates, and vehicle registration details.
These messages create a sense of urgency, instructing victims to download an “E-Challan” or “RTO Challan” app to view photographic evidence of their violation. However, this app is a Trojan horse.
“The APK is engineered as a two-stage dropper that leverages advanced obfuscation, hidden installation techniques, and high-risk Android permissions to establish persistent control over the victim’s device,” the report states.
Once a victim falls for the ruse and installs the app, the malware executes a sleight of hand. It employs a two-stage installation process that tricks the user into installing a second, invisible payload that hides from the app drawer, running silently in the background.
To evade detection by antivirus software, the malware deploys a rare and advanced technique: it builds its own encrypted tunnel.
“Once installed, the malware creates a custom VPN tunnel to mask its network activity, enabling covert exfiltration and preventing security tools from detecting C2 communication,” researchers explained. By routing traffic through this VPN, the attackers can communicate with their command-and-control servers (C2) at jsonserv[.]xyz without raising red flags on the network.
The malware’s ultimate goal is financial theft, executed through a cunningly designed fake payment interface. After harvesting the user’s Aadhaar, PAN card, and personal details, the app prompts the victim to pay a nominal fee of ₹1.
The app claims “Please Pay ₹1 to verify owner details and we will refund your money within 24hours”. This trivial amount is the bait. When users attempt to pay, they are presented with options for Debit Card, Net Banking, or UPI.
The fraud is aggressive. If a user selects UPI, the app intentionally fails the transaction to push them toward using a Debit or Credit card . When the card option is chosen, the app demands an unprecedented amount of data: “Under the Card payment option, the app asks for the card number, expiry date, CVV, and even the ATM PIN”.
Behind the scenes, the malware has already secured high-risk permissions that allow it to intercept SMS messages and phone calls. This allows the attackers to read One-Time Passwords (OTPs) in real-time, effectively bypassing Two-Factor Authentication (2FA) .
“A fraudulent payment interface further deceives users into entering sensitive banking credentials… This allows attackers to conduct unauthorized transactions in real time, leveraging stolen OTPs captured directly on the compromised device” .
With the ability to trigger USSD codes, the malware can even forward the victim’s calls to a number controlled by the scammers, ensuring the victim never receives a fraud alert call from their bank.
This campaign represents a significant escalation in mobile fraud, combining social engineering with “highly mature, professionally engineered” malware. Users are advised to block messages from unknown numbers claiming to be traffic authorities and to never download challan apps from third-party links.
As the report concludes: “Immediate detection, user awareness, and coordinated takedown efforts are essential to mitigate its impact”.
Donate