Cybercriminals Exploit Fake RTO Challan Notifications to Deploy Android Malware
A sophisticated Android malware campaign has recently emerged, targeting Indian users by masquerading as legitimate Regional Transport Office (RTO) challan notifications. This deceptive strategy involves distributing malicious applications outside the Google Play Store, primarily through messaging platforms like WhatsApp, thereby exploiting users’ trust in official government services.
Modus Operandi of the Attack
The attackers initiate their scheme by sending fraudulent traffic violation alerts to potential victims. These messages instruct recipients to install an application labeled as E-Challan or RTO Challan, which, unbeknownst to them, contains malware designed to steal both financial and personal information. This campaign signifies a dangerous evolution in mobile threats, incorporating a three-stage modular architecture that enhances the malware’s ability to evade detection and maintain persistence on infected devices.
Unlike earlier variants that utilized single-stage APKs with hardcoded logic, this current operation employs dynamic remote configuration and extensive anti-analysis techniques. Notably, the malware establishes a custom VPN tunnel to mask its network activity, enabling covert data exfiltration while preventing security tools from detecting command-and-control communications.
Social Engineering Tactics
Researchers from Seqrite have identified the sophisticated social engineering tactics employed by the attackers. The malicious apps present fraudulent user interfaces that closely mimic official government portals, complete with RTO branding and logos, to convince users of their legitimacy. Once installed, the malware prompts users to grant high-risk permissions, including access to SMS, call logs, notification listeners, and storage. These permissions enable comprehensive surveillance of the victim’s device.
To ensure persistent control, the malware requests users to disable battery optimization settings, allowing it to run continuously in the background without system restrictions. This persistence facilitates large-scale financial fraud, identity theft, and complete device compromise, as the malware harvests banking notifications, one-time passwords (OTPs), and device metadata.
Infection Mechanism and Permissions Abuse
The infection process begins when victims receive SMS or WhatsApp messages containing shortened URLs that mimic legitimate e-Challan domains. These messages create a sense of urgency by threatening license suspension, court summons, or legal proceedings for unpaid traffic fines. When users click the link and install the APK file, the malware initiates its multi-stage deployment sequence.
After installation, the third-stage application presents a fake government interface that prompts users to verify their identity or clear a pending challan. To proceed, users must grant multiple dangerous permissions that provide the malware access to sensitive device functions. Once these permissions are approved, the malware begins harvesting personal identity information, banking notifications, OTP messages, and device metadata. It also implements a foreground service deception technique, creating a fake notification that runs continuously while malicious activities occur in the background.
Recommendations for Users
To protect against such threats, users should verify traffic fines only through official government websites rather than clicking links in unsolicited messages. Avoid downloading applications from sources outside the Google Play Store, and never grant unnecessary permissions to applications requesting access to SMS or notification services. Staying vigilant and adopting these practices can significantly reduce the risk of falling victim to such sophisticated malware campaigns.
