Rising Threat: GhostBat RAT Malware Posing as RTO Apps in India
A New Wave of Android Malware
A concerning trend has emerged in India, where a new strain of Android malware is cleverly disguised as Regional Transport Office (RTO) applications. This malware, known as GhostBat RAT, is not just stealing sensitive financial data but also mining cryptocurrency and exfiltrating SMS messages. Each infected device is managed through Telegram bots, which adds another layer of complexity and stealth to this campaign.
The Campaign’s Origins
In July 2024, Cyble Research and Intelligence Labs (CRIL) reported a significant increase in Android malware masquerading as trusted apps, particularly the mParivahan application. These malicious actors have employed social engineering tactics to distribute compromised APK files via platforms such as WhatsApp and SMS, as well as through compromised websites. Users are often directed to download these harmful files through shortened URLs that lead to malware hosted on GitHub.
From September 2025 onwards, over 40 distinct malware samples related to this campaign have been identified. Despite variations in their design and obfuscation methods, all samples install a fraudulent version of the mParivahan app, embedded with tools to steal information and mine cryptocurrency.
GhostBat RAT: Managed via Telegram
What makes the GhostBat RAT campaign particularly noteworthy is its integration with Telegram for managing compromised devices. The Telegram bot named GhostBatRat_bot is utilized to register the infected devices, linking it directly to the malware’s operational framework.
Each malware sample employs sophisticated multi-stage dropper techniques to load various payloads. These payloads range from phishing pages to banking credential stealers and cryptocurrency miners. The malware is designed with multiple evasion tactics to stay under the radar:
- ZIP Header Manipulation: This technique disrupts APK decompilation.
- Anti-Emulation Measures: These ensure that the malware halts execution in virtual environments, making detection difficult.
- String Obfuscation: Heavy numerical encoding disguises the malicious code.
- Native Code Execution: The use of .so libraries is aimed at avoiding conventional detection methods.
Technical Breakdown of the Malware
A representative sample of this malware (with SHA‑256: 98991cd9557116b7942925d9c96378b224ad12e2746ac383752b261c31e02a1f) showcases a three-stage dropper architecture:
- Stage One: The malware checks for emulated environments and then decrypts the second payload using XOR from an asset file.
- Stage Two: This stage utilizes a derived AES key to decrypt another asset, producing either a DEX or ZIP file.
- Stage Three: The final payload is revealed, which includes a mining library along with an installer for a session-based APK.
In more advanced versions, a native packer written in C/C++ is capable of executing encrypted payloads by resolving API calls during runtime through JNI methods like FindClass. This level of technical complexity is designed to thwart reverse engineering efforts and evade antivirus programs.
Phishing and SMS Exfiltration Tactics
Upon installation, the counterfeit mParivahan app demands extensive permissions, particularly for SMS access. It initiates a phishing flow that simulates UPI payment requests, convincing users to input their UPI PIN on fraudulent interfaces. This sensitive information is then transmitted to a Firebase endpoint under the attacker’s control.
The app also monitors the SMS content in the background, focusing on messages containing banking keywords. Any detected messages are forwarded to the attacker’s Command & Control server, allowing them to harvest incoming One-Time Passwords (OTPs) or redirect them based on their content.
Moreover, the app will register the infected device with the GhostBatRat_bot, creating a direct command channel that enables the attacker to manage the compromised device effectively.
Conclusion
As this malware trend grows, it highlights the importance of security awareness among users. With attackers becoming increasingly sophisticated, individuals must remain vigilant about the applications they download and the permissions they grant to those apps. The GhostBat RAT campaign underscores a serious need for updated cybersecurity measures and proactive user education.
