CYFIRMA researchers have identified a sophisticated Android malware operation spreading via fake RTO Challan/e-Challan notifications shared over WhatsApp.
 
The malicious APK uses two-stage installation, NP-based code obfuscation, and a custom VPN layer to evade detection and maintain persistent control over infected devices.

C2 Infrastructure Exposed.
Our analysis uncovered two domains used as the campaign’s Command-and-Control (C2) backend:
Jsonserv[.]xyz
jsonserv[.]biz

Both domains were hidden using Base64-encoded fragments inside the APK to evade static detection and were linked to multiple operational endpoints responsible for:

• Device registration and tracking
• Exfiltration of SMS, OTPs, and personal data
• Task retrieval and fraud orchestration
• APK update and payload delivery

The domains share identical infrastructure traits (GoDaddy registration, Cloudflare DNS, locked modification status), indicating a centrally managed fraud ecosystem aligned with large-scale financial scams targeting Indian users.

The malware harvests Aadhaar, PAN, phone numbers, banking credentials, UPI PINs, card details, and silently intercepts OTPs—enabling real-time account takeover and unauthorized transactions.

CYFIRMA Recommends:
 – Block C2 domains across your environment
 – Enable Google Play Protect and restrict sideloading
 – Deploy Mobile Threat Defense (MTD) controls
 – Raise awareness against APKs shared via messaging apps

Stay vigilant. Stay secure. For full technical insights, contact CYFIRMA.

Link to the Research Report: https://www.cyfirma.com/research/rto-challan-fraud-a-technical-report-on-apk-based-financial-and-identity-theft/

#CyberSecurity #ThreatIntelligence #AndroidMalware #MobileSecurity #RTOChallanScam #FinancialFraud #CyberAwareness #CyberCrime #CTI #InfoSec #CYFIRMA #CYFIRMAresearch #ExternalThreatLandscapeManagement #ETLM

https://www.cyfirma.com/