Skip to content

RTO phishing campaigns target Indian Android users via WhatsApp

  • by
  • 4 min read

Indian citizens have been receiving phishing messages via WhatsApp that impersonate the Regional Transport Office (RTO). These messages, purported to be official notices for traffic rule violations, prompt users to download a malicious APK file named ‘VAHANPARIVAHAN.apk’.

This malware, devoid of a launcher activity, runs silently in the background, collecting SMS messages and contact lists while sending messages from the infected device.

These phishing campaigns have been running since 2021, targeting bank customers through sophisticated Android malware campaigns. Initially disseminated via SMS with enticing themes such as credit card reward points and KYC updates, these attacks have broadened their scope, incorporating themes related to utility bill payments, government schemes, and the latest iterations, the Regional Transport Office. They are now being spread through WhatsApp messages.

“During our analysis of the applications associated with this campaign, we discovered a Command and Control (C&C) server, “hxxps://sallu[.]info”, which hosts an admin panel. On this admin panel, we found a WhatsApp number, “9238022687”, listed for support related to links, APKs, and UPI panel assistance. We suspect that the threat actor may be utilising a Malware-as-a-Service (MaaS) model offered by certain cybercriminals,” researchers noted.

This MaaS service, provided by cybercriminals, allows for a streamlined deployment of malicious campaigns.

These recent malware strains have been noted for their absence of launcher activity. This tactic prevents the app icon from appearing in the app drawer, making detection and removal more challenging.

Researchers discovered that the malware requests permissions for SMS and contact access upon installation. Subsequently, the malware presents a phishing screen mimicking the login pages of major entities to harvest credentials.

It then prompts users to set it as the default SMS application, allowing it to send device information and contact lists to a Telegram bot URL.

The malware establishes a background service connecting a Firebase URL, retrieving data such as phone numbers and text messages, which it uses to send SMS messages to the infected device.

WhatsApp phishing messages impersonating RTOs. | Source: Cyble

Researchers also discovered that the threat actors attempted to exploit techniques identified in 2022. Such a technique involves sending verification messages from the victim’s device, enabling threat actors to verify UPI apps on their own devices. The malware’s activity, including the interception and sending of SMS messages, aligns with this approach.

For example, the malware sends SMS messages beginning with ‘SIMPL’ related to the verification process of the Simpl app, a Buy Now, Pay Later (BNPL) app in India. By intercepting and using these verification codes, attackers can successfully register and verify UPI apps on their devices, potentially committing financial fraud.

Cybersecurity experts have urged users to download and install software only from reputed app stores like Google Play or Apple App Store, use antivirus on their computers, employ strong passwords, and use biometric security features to protect themselves from this ongoing phishing campaign.

Furthermore, keeping the device updated and allowing only selected app permissions can also help counter cybercriminals’ phishing tactics.

Cybercriminals have been targeting India for some time now. Recent activities demonstrate how these malicious actors are becoming more advanced and adaptable in their methods.

The shift from traditional SMS to WhatsApp for spreading threats, combined with the utilisation of Malware-as-a-Service (MaaS) frameworks and the lack of obvious launcher activities, makes it increasingly difficult for security experts to identify and counteract these cyber threats effectively.

Last month, it was reported that cyber crooks are using phishing websites to exploit the Paris Olympics 2024. In other news, the WarmCookie phishing campaign targeted job seekers worldwide.

In the News: Evolve Bank and Trust confirm Lockbit data breach; 7.6 million Americans affected

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: