Threat Research

Regional Transport Office themed phishing campaign targets Android users in India

Cyble

Cyble’s CRIL reports a new Android phishing campaign in India impersonating the Regional Transport Office (RTO) and distributing fake APKs like VAHAN PARIVAHAN to steal SMS messages and contacts via a MaaS-enabled C2 ecosystem. The operation uses WhatsApp for distribution, collects device data, and exfiltrates through a Telegram bot and Firebase, signaling a shift from SMS to messaging platforms and MaaS-enabled takedowns.
#RTO #VAHAN_PARIVAHAN #ELVIA_INFOTECH #MaaS #WhatsApp #Firebase #Telegram #Simpl

Keypoints

  • CRIL has tracked a surge in Android banking-targeted phishing campaigns in India, now leveraging WhatsApp and broader themes beyond rewards and KYC.
  • Attackers moved from SMS to WhatsApp for phishing messages and now include utility bills and government schemes as lure themes.
  • An admin panel on the C2 server indicates a Malware-as-a-Service (MaaS) model and shows a support WhatsApp number for links, APKs, and UPI panel help.
  • Recent malware strains lack launcher activity, hiding the app icon to evade uninstall and detection.
  • The RTO-themed campaign uses the VAHAN PARIVAHAN APK to prompt SMS permissions, then runs in the background to collect SMSs and contacts.
  • Data is exfiltrated via a Telegram bot and Firebase databases that provide phone numbers and texts to enable unauthorized SMS verification and messaging.
  • Recommendations emphasize user awareness, legitimate app sourcing, and keeping devices and apps updated to mitigate such MaaS-driven campaigns.

MITRE Techniques

  • [T1655.001] Masquerading: Match Legitimate Name or Location – “Malware pretending to be Indian banking applications or government entity”
  • [T1624.001] Event-Triggered Execution: Broadcast Receivers – “Malware has implemented an SMS broadcast receiver to fetch incoming SMS”
  • [T1426] System Information Discovery – “The malware collects basic device information.”
  • [T1628.001] Hide Artifacts: Suppress Application Icon – “Malware does not have launcher activity enabling it to hide icon”
  • [T1636.003] Protected User Data: Contact List – “The malware collects contacts from the infected device”
  • [T1636.004] Protected User Data: SMS Messages – “Steals SMSs from the infected device”
  • [T1437] Application Layer Protocol – “Application using Firebase URL”
  • [T1646] Exfiltration Over C2 Channel – “Sending exfiltrated data over C&C server”

Indicators of Compromise

  • [Hash] VAHAN PARIVAHAN malicious application – 31e92f014c1e64fad475fb3eade116c19464a6978159de55c59e3189a67eb979, e0190113fc10e743b1f0862d498ab5c41d5bd242 and 1 more hash
  • [URL] Firebase URL to get mobile number and text message – numnumfour-default-rtdb.firebaseio.com/
  • [URL] Telegram bot URL used to send data – api.telegram.org/bot7487929666:AAHotf1RHqgk6W0WbFjXywI458I9r9CmxiM/sendDocument
  • [URL] Additional Firebase endpoint for data – hookuptolookup-default-rtdb.firebaseio.com/-1002118750305/.json
  • [Domain] C2 domains – api.warnert.online, sallu.info

Read more: https://cyble.com/blog/regional-transport-office-phishing-scam-targets-android-users-in-india/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint