Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
737
4,621
1,369
Content source
https://www.seqrite.com/blog/inside-a-multi-stage-android-malware-campaign-leveraging-rto-themed-social-engineering/
Seqrite researchers identified a three-stage Android malware campaign in India that impersonates RTO and government portals and spreads via WhatsApp. It uses cryptomining, persistence, and data theft with a cloud-backed C2, infecting about 7,400 devices.
www.seqrite.com

Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering | Seqrite

In recent years, Android malware campaigns in India have increasingly abused the trust associated with government services and official digital platforms. By imitating well-known portals and leveraging social engineering through messaging applications, threat actors exploit user urgency and lack...
www.seqrite.com www.seqrite.com
1770278497061.png
Click to expand...
 
  • Like
Reactions: Brownie2019, ForgottenSeer 123960, Captain Awesome and 2 others
This Seqrite write-up (dated 04 February 2026) is a good example of how “government service” branding + WhatsApp delivery is being used to push multi-stage Android threats that are both profitable (cryptomining) and high-impact (OTP/credential theft).
www.seqrite.com

Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering | Seqrite

In recent years, Android malware campaigns in India have increasingly abused the trust associated with government services and official digital platforms. By imitating well-known portals and leveraging social engineering through messaging applications, threat actors exploit user urgency and lack...
www.seqrite.com www.seqrite.com

What’s notable in this campaign
  • Three-stage chained APK installs: Stage 1 drops Stage 2/3, and mining is used along the way to monetize even before/without successful fraud. The staged design also lets operators swap components without rebuilding the whole malware chain.
  • Persistence + stealth: Stage 2 focuses on persistence (e.g., background execution and hiding the launcher icon) and initializes the backend.
  • Cloud-backed backend/C2: Seqrite reports the backend leverages Google Firebase for storage/remote configuration/C2-like operations, and they observed remote reconfiguration (including SMS forwarding targets) and live monitoring of infected devices.
  • “Full fraud kit” behavior in Stage 3: Fake RTO/government UI to pressure victims into granting high-risk permissions, then harvesting OTPs/notifications/device data and attempting call/SMS forwarding and related surveillance.
  • Scale: Based on records they accessed on the backend, Seqrite reports ~7,400 infected devices (with many granting SMS access and submitting sensitive data).

Practical takeaways for users (Android)
  • Treat any APK sent via WhatsApp/Telegram/SMS as hostile, especially “challan/RTO update/portal verification” lures. Legit services should not require sideloaded APKs via chat apps.
  • Block the installation path: keep “Install unknown apps” disabled for browsers, file managers, WhatsApp, etc.
  • Be strict about high-risk permissions. Red flags for “government portal” apps include requests for SMS access, notification listener access, call log/phone access, accessibility, or device admin controls.
  • If installed: disconnect the phone (airplane mode), remove suspicious apps (including ones without icons), revoke notification/SMS/accessibility/admin permissions, then run a scan with a reputable mobile security product. If you entered banking/UPI/card details or granted SMS/notification access, assume account takeover risk—change passwords from a clean device, move away from SMS-based 2FA where possible, and contact your bank/UPI provider to lock down transactions.
  • If cleanup is uncertain: back up important data and do a factory reset, then restore cautiously (avoid restoring unknown APKs).

Why “Firebase” matters (and why it’s not an IOC by itself)
Many legitimate apps use Firebase, so “Firebase traffic present” doesn’t prove anything. The key point is that mainstream cloud services make takedowns harder and give attackers resilient storage/config/C2 options, so prevention (no sideloading, least-privilege permissions) is the most reliable defense here.

Sources
 
These attacks no longer break in like a thief smashing the door, but rather like a salesman in disguise convincing you to open it. First they hand you the “RTO theme” so it looks legitimate, and then they slip in stage by stage until they’re living inside your digital house. In the end, it’s not technical wizardry—it’s a theater of deception 🎭, where the malware plays the lead role and the user unknowingly applauds from the audience.
 
Technical Analysis & Remediation
The campaign exhibits "Advanced Persistent Threat" (APT) characteristics rather than simple adware.

MITRE ATT&CK Mobile Mapping

Initial Access
Phishing: Spearphishing via Service (T1566.003) – SMS/WhatsApp lures.

Execution
User Execution (T1204) – Sideloading APKs.

Defense Evasion
Virtualization/Sandbox Evasion (T1633) – Checks for x86/emulator environments.

Collection
Capture SMS Message (T1412) – Intercepting OTPs for 2FA bypass.

Attack Chain & Artifacts

Stage 1 (The Lure)
SMS messages threatening legal action for unpaid fines, containing shortened URLs (e.g., bit.ly or kutt.it) pointing to malicious APKs hosted on GitHub or fraudulent domains (e.g., rtochallan[.]store).

Stage 2 (The Dropper)
The initial APK is a "dropper." It requests Accessibility Services and performs environment checks.

Anti-Analysis
It scans for emulator characteristics (battery levels, specific manufacturing names). If detected, it terminates.

Stage 3 (The Payload)
The malware utilizes Native Libraries (.so files) to dynamically decrypt and load the final payload (DEX file) in memory. This "fileless" execution makes static analysis difficult.

"Anchor" Indicators

Lure Text
"Pay ₹1 to verify ownership" or "Clear pending challan".

App Names
mParivahan, RTO Service, Challan Payment.

Behavior
Presents a fake UPI payment interface to harvest PINs and banking credentials.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

MDM/UEM Query
Search managed fleets for packages matching com.mparivahan.* or unauthorized apps installed from "Unknown Sources" (non-Play Store).

Network Block
immediate DNS blackholing of domains containing rto, challan, or parivahan that are not the official parivahan.gov.in.

Identity Isolation
If a corporate device is infected, assume OIDC/SSO tokens are compromised. Revoke active sessions immediately.

Phase 2: Eradication

Policy Enforcement
Ensure "Install from Unknown Sources" is globally DISABLED via Mobile Device Management (MDM) policies.

Wipe
Do not attempt to "clean" the malware. The persistence mechanisms (hiding the app icon, burying deep in system services) make manual removal unreliable. Remote Wipe is the only safe option.

Phase 3: Recovery

Re-enrollment
Provision the device only after a full factory reset.

Credential Rotation
Force password resets for any corporate accounts accessed from the device during the infection window.

Remediation - THE HOME USER TRACK

Priority 1: Safety (Stop the Bleeding)

Disconnect
Immediately turn on Airplane Mode. This cuts the connection to the attacker's Command & Control (C2) server, stopping them from receiving your OTPs.

Do NOT Pay
The "₹1" payment page is a fake. Entering your UPI PIN there gives the attacker full access to your bank account.

Priority 2: Removal

Safe Mode
Boot your Android phone into Safe Mode (usually hold Power off -> long press "Power off" on screen). This stops third-party apps from running.

Uninstall
Go to Settings > Apps. Look for the fake RTO app. Note that it may have hidden its icon or renamed itself to something generic like "Settings" or "System Update." Uninstall it.

Check Administrators
Go to Settings > Security > Device Admin Apps. If the malware is listed there, deactivate it.

Priority 3: The "Nuclear" Option (Recommended)
Because this malware can hide deep in the system, a Factory Reset is highly recommended to ensure you are 100% clean. Back up your photos only (not apps) before doing this.

Hardening & References

Hardening Strategy (CIS Benchmarks)

Google Play Protect
Ensure this is enabled and active. It can often detect known variants of GhostBat/SpyNote.

SMS Filtering
Enable "Spam protection" in the Google Messages app to filter out the initial smishing lures.

Permission Audit
Regularly review which apps have "Accessibility" and "SMS" permissions. No calculator or tax app needs access to your text messages.

References

Seqrite Blog

Cyble Blog

MITRE ATT&CK Mobile Matrix

MITRE ATT&CK Mobile
Technique T1475 (Phishing)

CISA
Mobile Malware Security Approaches
Click to expand...
 
  • Like
Reactions: harlan4096
You must log in or register to reply here.

You may also like...