The GhostBat RAT campaign leverages diverse infection vectors—WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites—to distribute malicious Android droppers.
Once installed, these droppers employ multi-stage workflows, deliberate ZIP header manipulation, and heavy string obfuscation to evade antivirus detection and reverse‐engineering.
The threat actors utilize native libraries (.so) to dynamically resolve API calls and deploy payloads that include banking credential stealers and cryptocurrency miners.
Victims are presented with phishing pages mimicking the mParivahan app, prompting mobile numbers, vehicle details, and UPI payments.
All SMS containing banking‐related keywords are exfiltrated to C&C servers, while incoming messages may be forwarded or uploaded for OTP harvesting. Device registration is performed via the Telegram bot GhostBatRat_bot, cementing the “GhostBat RAT” moniker.
In July 2024, CRIL first documented Android malware masquerading as Regional Transport Office applications designed to steal contacts and SMS messages.
Renewed observations from September 2025 onward reveal over forty distinct samples propagating through WhatsApp image shares and SMS messages containing shortened URLs that redirect to GitHub hosted APKs.
Although variants differ in custom packers and anti‐emulation routines, each ultimately delivers a malicious version of the mParivahan app.
Upon launch, the dropper requests SMS‐related permissions under the guise of an “update,” then initiates phishing activities to harvest banking credentials.
During analysis, all samples were found to register compromised devices via a Telegram bot (GhostBatRat_bot), linking campaign infrastructure to the GhostBat RAT label.
VirusTotal detections remained low due to the combination of multi‐layered dropper mechanisms, ZIP header corruption, and extensive string obfuscation.
Technical Analysis
GhostBat RAT’s architecture is characterized by multi‐stage dropper workflows, native binary packing, intentional corruption of ZIP headers, runtime anti‐emulation checks, and heavy string obfuscation.
Most samples begin with a first‐stage dropper that verifies device architecture and manufacturer, terminating on x86 or x86_64 to thwart emulated environments.
Strings throughout the code are obfuscated into lengthy numeric sequences, further complicating reverse engineering.
Once environmental checks pass, the dropper decrypts an asset file via XOR, loads it with DexClassLoader, and executes the second‐stage payload.
This payload decrypts another asset using an AES key derived from the SHA-1 hash of its filename, loading its content into a classes.zip container that houses the third‐stage module.
The final stage downloads and executes a cryptominer library before installing the primary malicious APK responsible for banking data theft.
Several variants incorporate a native packer: a .so library decrypts and loads additional native binaries using JNI functions like FindClass, dynamically constructing API call names at runtime.
This native loader follows the same three‐stage paradigm, ultimately deploying both a credential stealer and a cryptocurrency miner.
Upon installation of the mParivahan app, victims encounter a fake Google Play update page. Granting installation from unknown sources triggers the download and installation of the malicious APK.
The app then requests SMS permissions and displays a convincing mParivahan phishing interface requesting mobile and vehicle details.
Next, a fake payment flow prompts the user to pay ₹1 for verification and enters their UPI PIN into a counterfeit interface, which forwards the PIN to a Firebase endpoint.
All SMS messages containing banking‐related keywords are filtered and exfiltrated to the C&C server, while incoming messages can be uploaded or forwarded to attacker‐controlled numbers for OTP interception.
This dual capability allows the threat actors to harvest both static banking credentials and dynamic OTPs to facilitate unauthorized transactions.
The GhostBat RAT campaign represents a sophisticated evolution of RTO‐themed Android malware. By combining multi‐stage dropper techniques, anti‐analysis defenses, native code exploitation, and social engineering, the threat actors effectively bypass traditional detection mechanisms.
Targeting both banking credentials and UPI authentication flows, GhostBat RAT underscores the importance of vigilant SMS permission management, cautious handling of shortened URLs, and the need for continuous mobile threat intelligence to thwart emerging Android malware campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
