The GhostBat RAT campaign exemplifies a sophisticated approach to malware distribution, utilizing a variety of infection vectors such as WhatsApp, SMS with shortened URLs, GitHub-hosted APKs, and compromised websites to deliver malicious Android droppers. Once these droppers are installed, they engage in multi-stage workflows, employing deliberate ZIP header manipulation and extensive string obfuscation to evade antivirus detection and reverse-engineering efforts.
Threat actors behind this campaign leverage native libraries (.so) to dynamically resolve API calls, deploying payloads that include tools for stealing banking credentials and cryptocurrency miners. Victims are often directed to phishing pages that closely resemble the mParivahan app, where they are prompted to input sensitive information such as mobile numbers, vehicle details, and UPI payment credentials. Furthermore, all SMS messages containing banking-related keywords are exfiltrated to command and control (C&C) servers, while incoming messages may be forwarded or uploaded for one-time password (OTP) harvesting. Device registration is facilitated through a Telegram bot known as GhostBatRat_bot, which solidifies the campaign’s identity under the “GhostBat RAT” banner.
In July 2024, CRIL documented the emergence of Android malware masquerading as Regional Transport Office applications, designed specifically to pilfer contacts and SMS messages. Renewed observations from September 2025 onward have identified over forty distinct samples propagating through WhatsApp image shares and SMS messages with shortened URLs that redirect to GitHub-hosted APKs. While these variants differ in their custom packers and anti-emulation routines, they ultimately deliver a malicious version of the mParivahan app.
Upon launching the dropper, it requests SMS-related permissions under the guise of an “update,” subsequently initiating phishing activities aimed at harvesting banking credentials. Analysis of the samples revealed that all compromised devices were registered via the Telegram bot (GhostBatRat_bot), linking the campaign infrastructure to the GhostBat RAT label.
VirusTotal detections for this malware remain low, attributed to the combination of multi-layered dropper mechanisms, ZIP header corruption, and extensive string obfuscation.
Technical Analysis
The architecture of GhostBat RAT is marked by multi-stage dropper workflows, native binary packing, intentional ZIP header corruption, runtime anti-emulation checks, and heavy string obfuscation. Most samples initiate with a first-stage dropper that verifies device architecture and manufacturer, terminating on x86 or x86_64 to circumvent emulated environments. The code strings are obfuscated into lengthy numeric sequences, complicating reverse engineering efforts.
Once environmental checks are successfully navigated, the dropper decrypts an asset file using XOR, loads it with DexClassLoader, and executes the second-stage payload. This payload decrypts another asset using an AES key derived from the SHA-1 hash of its filename, loading its content into a classes.zip container that houses the third-stage module.
The final stage involves downloading and executing a cryptominer library before installing the primary malicious APK responsible for banking data theft. Several variants incorporate a native packer: a .so library decrypts and loads additional native binaries using JNI functions like FindClass, dynamically constructing API call names at runtime. This native loader adheres to the same three-stage paradigm, ultimately deploying both a credential stealer and a cryptocurrency miner.
Upon installation of the mParivahan app, victims encounter a counterfeit Google Play update page. Granting installation from unknown sources triggers the download and installation of the malicious APK. The app subsequently requests SMS permissions and presents a convincing phishing interface mimicking the mParivahan app, asking for mobile and vehicle details.
Following this, a fake payment flow prompts users to pay ₹1 for verification and enter their UPI PIN into a counterfeit interface, which then forwards the PIN to a Firebase endpoint. All SMS messages containing banking-related keywords are filtered and exfiltrated to the C&C server, while incoming messages can be uploaded or forwarded to attacker-controlled numbers for OTP interception. This dual capability allows the threat actors to harvest both static banking credentials and dynamic OTPs, facilitating unauthorized transactions.
The GhostBat RAT campaign signifies a notable evolution in RTO-themed Android malware. By integrating multi-stage dropper techniques, anti-analysis defenses, native code exploitation, and social engineering, the threat actors effectively bypass traditional detection mechanisms. This underscores the necessity for vigilant SMS permission management, cautious handling of shortened URLs, and the continuous need for mobile threat intelligence to combat emerging Android malware campaigns.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
