In mid-2025, cybersecurity researchers identified a new and sophisticated malware campaign named GhostBat RAT, specifically targeting Indian Android users. This malicious operation exploits trust in government services by distributing counterfeit Regional Transport Office (RTO) applications, particularly impersonating the official mParivahan app.
Distribution Methods
The perpetrators employ smishing tactics—sending deceptive messages through platforms like WhatsApp and SMS. These messages contain shortened URLs that redirect recipients to malicious payloads hosted on platforms such as GitHub. Additionally, compromised websites serve as distribution channels for these fraudulent applications.
Infection Process
Upon downloading and installing the counterfeit app, users are prompted to grant permissions related to SMS functionalities, under the guise of necessary updates. The app then presents an interface closely resembling the legitimate mParivahan application, requesting vehicle and mobile details. Subsequently, it solicits a nominal Unified Payments Interface (UPI) payment of ₹1, purportedly to verify ownership.
Data Exfiltration and Unauthorized Transactions
Once the user complies, the malware actively monitors SMS messages for banking-related keywords. It exfiltrates these messages to servers controlled by the attackers. Notably, incoming one-time passwords (OTPs) are forwarded directly to the adversaries, facilitating unauthorized financial transactions without the victim’s knowledge.
Command and Control Mechanism
Analysts from Cyble have observed the integration of a Telegram bot named GhostBatRatbot within the malware. This bot registers infected devices and serves as a command channel, enabling the attackers to manage and retrieve stolen data efficiently.
Evasion Techniques
GhostBat RAT employs multiple anti-analysis and obfuscation strategies to evade detection:
– Anti-Emulation Checks: The initial dropper examines device attributes such as `Build.CPU_ABI` and `Build.MANUFACTURER`. If the device is identified as an emulator, the malware terminates its execution to avoid analysis.
– Obfuscated Code: The malware’s code is heavily obfuscated, complicating reverse engineering efforts.
– Multi-Stage Payload Delivery: The dropper decrypts embedded payloads using XOR operations and dynamically loads them via `DexClassLoader`, enhancing its stealth.
– Use of Native Libraries: Incorporating native libraries (.so files) allows the malware to reconstruct API calls in memory through Java Native Interface (JNI), further hindering analysis and detection.
Detailed Infection Mechanism
The infection process is meticulously designed:
1. Smishing Initiation: Users receive messages containing shortened links disguised as RTO services.
2. Malicious APK Download: Clicking the link leads to the download of an APK file hosted on platforms like GitHub.
3. Permission Requests: During installation, the app requests permissions to read and send SMS messages, which users often grant, believing them to be necessary for the app’s functionality.
4. Payload Decryption: With the required permissions, the dropper decrypts its second-stage payload:
“`java
InputStream in = context.getAssets().open(encrypted_payload);
byte[] data = new byte[in.available()];
in.read(data);
in.close();
byte[] key = MessageDigest.getInstance(SHA-1)
.digest(encrypted_payload.getBytes(StandardCharsets.UTF_8));
for (int i = 0; i < data.length; i++) {
data[i] ^= key[i % key.length];
}
DexClassLoader loader = new DexClassLoader(
saveToFile(data), context.getCacheDir().getAbsolutePath(),
null, context.getClassLoader()
);
```
This decrypted component contains modules for credential theft and cryptomining, which are loaded dynamically.
5. Final Payload Execution: The final payload presents itself as a legitimate app update, deceiving users into installing the malicious mParivahan app.
Through this multi-stage process, GhostBat RAT achieves stealthy installation and robust persistence, posing a significant threat to Indian mobile banking users.
