RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft

MITRE Techniques

• [T1566.002 ] Phishing: Spear phishing Link – Delivered malicious APKs via WhatsApp messages that mimic official challan notices (‘Scammers are distributing fake RTO challan receipt APKs through WhatsApp’).
• [T1406 ] Obfuscated Files or Information – APK uses NP ApkControlFlowConfusion and obfuscated manifest strings to hide logic (‘the application’s control-flow logic has been deliberately obfuscated’).
• [T1421 ] System Network Connections Discovery – Malware creates and controls a VPN interface to take command of network traffic, enabling network-level discovery and manipulation (‘The malware creates and controls its own VPN interface to take full command of the device’s network traffic’).
• [T1422 ] System Network Configuration Discovery – Manifest registers BIND_VPN_SERVICE and intent filters referencing android.net.VpnService to intercept and manipulate network configuration (‘the manifest defines a service … that requests the highly sensitive android.permission.BIND_VPN_SERVICE’).
• [T1424 ] Process Discovery – Malware shifts execution threads and uses handlers tied to the main looper when processing exfiltration/upload routines (‘shifts execution back to the main thread using a Handler tied to the main looper’).
• [T1426 ] System Information Discovery – DeviceInfo function gathers hardware, OS, carrier, SIM and other system attributes to build a fingerprint (‘DeviceInfo function builds a detailed device fingerprint by gathering system, hardware, model, and brand information along with SIM-related details’).
• [T1430 ] Location Tracking – Collection and profiling routines gather device and telephony attributes that support tracking and contextual targeting (‘DeviceInfo function builds a detailed device fingerprint … packaging everything into a structured JSON object’).
• [T1409 ] Stored Application Data – Malware collects stored SMS contents, device identifiers and other local artifacts for exfiltration (‘transmit previously collected data, such as SMS contents, device identifiers, or other captured artifacts’).
• [T1071 ] Application Layer Protocol – Uses HTTP(S) POST to communicate with C2 endpoints and action-based query parameters for data upload and task retrieval (‘an HTTP POST request is used to transmit previously collected data’ and ‘https://jsonserv.xyz/app-manage?action=’).
• [T1573 ] Encrypted Channel – C2 endpoints are HTTPS and the app uses tunneled VPN connections to hide/secure command-and-control communications (‘https://jsonserv.xyz/app-manage?action=’ and VPN tunnel creation to hide C2 communication’).