A new trend of Android malware is sweeping across India, leveraging the guise of Regional Transport Office (RTO) apps to steal financial data, mine cryptocurrency, and exfiltrate SMS messages, all while secretly registering infected devices through Telegram bots. Known as GhostBat RAT, this new malware campaign has recently resurfaced.
In July 2024, Cyble Research and Intelligence Labs (CRIL) began tracking an uptick in Android malware disguised as legitimate RTO applications like the mParivahan app. The attackers used social engineering tactics to deliver malicious APK files via WhatsApp, SMS, and even compromised websites. These messages typically include shortened URLs that redirect unsuspecting users to GitHub-hosted malware downloads.
Since September 2025, over 40 unique malware samples tied to this campaign have been discovered. Despite differences in how they were packed or obfuscated, each sample ultimately installed a counterfeit version of mParivahan, embedded with information-stealing tools and a cryptocurrency mining module.
What sets this campaign apart is the integration of Telegram bots for managing infected devices. Specifically, the bot named GhostBatRat_bot is used to register compromised devices, linking this campaign to the name GhostBat RAT.
Each sample employs multi-stage dropper techniques that load payloads in layers. These payloads include a combination of phishing pages, banking credential stealers, and a crypto miner. To ensure longevity and stealth, the malware uses several evasion tactics:
In a representative sample (SHA‑256: 98991cd9557116b7942925d9c96378b224ad12e2746ac383752b261c31e02a1f), the malware demonstrates a three-stage dropper architecture:
In more advanced variants, a native packer written in C/C++ executes encrypted payloads by resolving API calls at runtime using JNI methods like FindClass.
This level of complexity is designed to thwart reverse engineering attempts and antivirus tools.
Once installed, the fake mParivahan app requests extensive permissions, particularly around SMS access. It initiates a phishing flow that mimics UPI payment requests, tricking users into entering their UPI PIN on fake interfaces. These credentials are then sent to a Firebase endpoint controlled by the attacker.
Meanwhile, the app performs background surveillance of SMS content, specifically targeting messages with banking-related keywords. Detected messages are forwarded to the attacker’s Command & Control (C2) server, while incoming OTPs can be harvested or redirected based on the content.
In parallel, the app registers the infected device with the Telegram bot GhostBatRat_bot, establishing a command channel for the attacker to manage the compromised system.
#1 Trending Cybersecurity News and Magazine
The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.
For editorial queries: [email protected]
For marketing and Sales: [email protected]
We’re remote friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad, Singapore, Jakarta, Sydney, and Melbourne
Headquarters:
The Cyber Express LLC
10080 North Wolfe Road, Suite SW3-200, Cupertino, CA, US 95014
India Office:
Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063
© 2025 The Cyber Express – Cybersecurity News and Magazine.
Login to your account below
Please enter your username or email address to reset your password.
© 2025 The Cyber Express – Cybersecurity News and Magazine.
GhostBat RAT Returns with Fake RTO Apps Targeting Indian Android Users with Telegram Bot-Driven Malware – The Cyber Express
