The GhostBat RAT marketing campaign has emerged as a classy risk focusing on Indian Android customers via counterfeit Regional Transport Workplace (RTO) functions.
First noticed in mid-2025, these malicious APKs masquerade because the official “mParivahan” app, exploiting person belief in authorities providers.
Distribution happens primarily by way of smishing—WhatsApp messages and SMS containing shortened URLs redirecting victims to GitHub-hosted payloads—or via compromised web sites.
Malicious APKs circulating on WhatsApp (Supply – Cyble)
As soon as put in, the malware prompts victims to grant SMS-related permissions below the guise of important updates, setting the stage for banking information exfiltration.
Upon set up, the app shows a phishing interface remarkably much like the real mParivahan format.
The sufferer is prompted to enter automobile and cell particulars, adopted by a pretend UPI cost request of ₹1 to “confirm possession.”
In the meantime, SMS messages containing banking-related key phrases are harvested and exfiltrated to attacker-controlled servers.
Incoming one-time passwords (OTPs) will be forwarded on to adversaries, facilitating unauthorized transactions.
Cyble analysts famous the incorporation of a Telegram bot, GhostBatRatbot, which registers contaminated gadgets and serves as a command channel for stolen information.
Beneath the social engineering facade, GhostBat RAT depends on a number of anti-analysis and obfuscation techniques.
The preliminary dropper performs anti-emulation checks by interrogating Construct.CPU_ABI and Construct.MANUFACTURER values, terminating execution if an emulator is detected.
Pattern code from this stage illustrates the heavy string obfuscation and emulator avoidance logic:
public static boolean isRealDevice(String abi) {
if (abi.equals(“x86”) || abi.equals(“x86_64”)) {
return false;
}
String producer = Construct.MANUFACTURER.toLowerCase(Locale.ROOT);
if (producer.comprises(“generic”) || producer.comprises(“emulator”)) {
return false;
}
return true;
}
Malware applied anti-emulation methods (Supply – Cyble)
A multi-stage dropper then decrypts embedded payloads utilizing XOR operations and dynamic DexClassLoader loading, guaranteeing detection evasion.
Native libraries (.so) additional complicate evaluation by reconstructing API calls in reminiscence by way of JNI. These layers collectively hinder reverse engineering and antivirus detection.
GhostBat RAT’s An infection Mechanism
Right here the whole an infection mechanism leverages smishing URLs disguised as RTO providers. Upon clicking a shortened hyperlink, customers obtain an APK hosted on GitHub or related platforms.
The installer requests SMS-read and SMS-send permissions, which victims usually grant below the pretext of service performance.
As soon as permissions are in place, the dropper decrypts its second-stage payload:-
InputStream in = context.getAssets().open(“encrypted_payload”);
byte[] information = new byte[in.available()];
in.learn(information);
in.shut();
byte[] key = MessageDigest.getInstance(“SHA-1”)
.digest(“encrypted_payload”.getBytes(StandardCharsets.UTF_8));
for (int i = 0; i
This decrypted element homes the credential stealer and cryptominer modules, that are loaded dynamically.
The ultimate payload mimics a real app replace web page, tricking customers into putting in the malicious mParivahan app.
By chaining these levels, GhostBat RAT achieves stealthy set up and sturdy persistence, making it a major threat to Indian cell banking customers.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
