The Reveal Platform
Intel Name: Ghostbat rat: inside the resurgence of rto-themed android malware
Date of Scan: October 15, 2025
Impact: High
Summary: The team has detected a surge in Android malware posing as Indian RTO apps, targeting Indian users to steal sensitive data. The malware spreads via WhatsApp and SMS with shortened links redirecting to malicious APKs hosted on GitHub or compromised sites. Once installed, it uses phishing pages to steal banking credentials, UPI PINs, and intercepts SMS with financial data. Some variants also include cryptocurrency mining features. Device registration is done through a Telegram bot named GhostBatRat_bot, linking the threat to the “GhostBat RAT” campaign.
