A new trend of Android malware is sweeping across India, leveraging the guise of Regional Transport Office (RTO) apps to steal financial data, mine cryptocurrency, and exfiltrate SMS messages, all while secretly registering infected devices through Telegram bots. Known as GhostBat RAT, this new malware campaign has recently resurfaced.
In July 2024, Cyble Research and Intelligence Labs (CRIL) began tracking an uptick in Android malware disguised as legitimate RTO applications like the mParivahan app. The attackers used social engineering tactics to deliver malicious APK files via WhatsApp, SMS, and even compromised websites. These messages typically include shortened URLs that redirect unsuspecting users to GitHub-hosted malware downloads.
Since September 2025, over 40 unique malware samples tied to this campaign have been discovered. Despite differences in how they were packed or obfuscated, each sample ultimately installed a counterfeit version of mParivahan, embedded with information-stealing tools and a cryptocurrency mining module.
GhostBat RAT: Telegram-Connected and Obfuscated to Avoid Detection
What sets this campaign apart is the integration of Telegram bots for managing infected devices. Specifically, the bot named GhostBatRat_bot is used to register compromised devices, linking this campaign to the name GhostBat RAT.
Each sample employs multi-stage dropper techniques that load payloads in layers. These payloads include a combination of phishing pages, banking credential stealers, and a crypto miner. To ensure longevity and stealth, the malware uses several evasion tactics:
- ZIP header manipulation to break APK decompilation
- Anti-emulation techniques that terminate execution in virtual environments
- Heavy string obfuscation using numerical encoding
- Native code execution via .so libraries to avoid detection
Technical Breakdown: Multi-Stage Dropper with Native Execution
In a representative sample (SHA‑256: 98991cd9557116b7942925d9c96378b224ad12e2746ac383752b261c31e02a1f), the malware demonstrates a three-stage dropper architecture:
- Stage One checks for emulated environments and decrypts the second payload using XOR from an asset file.
- Stage Two uses a derived AES key to decrypt another asset into a DEX or ZIP file.
- Stage Three includes the final payload, a mining library, and a session-based APK installer.
In more advanced variants, a native packer written in C/C++ executes encrypted payloads by resolving API calls at runtime using JNI methods like FindClass.
This level of complexity is designed to thwart reverse engineering attempts and antivirus tools.
Phishing, SMS Exfiltration, and Telegram Registration
Once installed, the fake mParivahan app requests extensive permissions, particularly around SMS access. It initiates a phishing flow that mimics UPI payment requests, tricking users into entering their UPI PIN on fake interfaces. These credentials are then sent to a Firebase endpoint controlled by the attacker.
Meanwhile, the app performs background surveillance of SMS content, specifically targeting messages with banking-related keywords. Detected messages are forwarded to the attacker’s Command & Control (C2) server, while incoming OTPs can be harvested or redirected based on the content.
In parallel, the app registers the infected device with the Telegram bot GhostBatRat_bot, establishing a command channel for the attacker to manage the compromised system.
