Cyble Research and Intelligence Labs (CRIL) researchers have observed a new campaign in which threat actors claiming to be from India’s Regional Transport Office (RTO) have targeted Indian WhatsApp users for phishing operations.
The campaign marks a shift from earlier tactics, such as the use of WhatsApp in recent campaigns instead of SMS for delivering phishing messages. This shift includes a change in focus from banking customers to the targeting of government agencies and utility companies.
Regional Transport Office (RTO) WhatsApp Phishing Scam
The researchers said that since the beginning of 2024, Indian citizens have been observed receiving phishing messages on WhatsApp that impersonate the Regional Transport Office (RTO), also commonly referred to as Vahan Parivahan, a governmental organization in India responsible for vehicle registration, driver licensing, and other transport-related matters.
Targets have received various WhatsApp messages claiming that their vehicle was found to be in violation of traffic rules, with a download link to an app titled “VAHAN PARIVAHAN,” supposedly intended for viewing official citations or a “challan”(government recognized document or receipt).
These phishing messages abused legitimate regional RTO logos in their WhatsApp profile pictures to lend further cover and to lure potential victims to download the attached malware .APK application file.
Once installed, the app requests permissions to access SMS messages and contacts. It runs in the background, collecting device information and sending it to the attackers through a Telegram bot.
The malware then initiates a service to connect to a Firebase URL to retrieve additional lists of phone numbers and text messages. This service is used to deliver SMS messages from infected devices to phone numbers mentioned in the Firebase server.
The researchers from Cyble had earlier noticed a remarkably similar campaign used to target the customers of major Indian banks through the use of malicious bank-related applications purporting to represent major Indian banks, even bearing similar names, icons and user interfaces to official banking apps.
The malware in the earlier campaign was used to collect banking credentials, credit card details, personally identifiable information (PII) and email credentials from victims.
Researchers Observe Advancements in Malware Campaigns
The researchers noted that threat actors have been observed deploying advanced malware strains that do not rely on launcher activities. Examination of the manifest file from the recent campaign reveals the absence of a launcher activity, preventing an app icon from appearing on the app drawer of infected devices and making it harder for victims to identify and uninstall the malware.
The RTO scam reflects broader changes among such campaigns, marked by:
- Shift from SMS to WhatsApp for distribution of phishing messages.
- Focus beyond banking targets to impersonation of legitimate utility bills and government schemes/authorities.
- Use of Malware-as-a-Service (MaaS) in campaigns.
- Additional stealthy tactics such as leaving out launcher activities to evade detection.
Along with sharing of potential Indicators of Compromise (IOCs) and classifying the campaign under MITRE categories, the researchers have listed some recommendations to protect against the campaign:
- Download software only from legitimate official sources such as the Google Play Store or the iOS App Store.
- Use of capable antivirus and internet security tools to scan downloaded software packages across internet-connected devices (PCs, laptops, and mobile devices).
- Use of stronger passwords and multi-factor authentication where possible.
- Use of biometric security functionality such as fingerprints or facial recognition to secure devices.
- Maintain vigilance regarding links received via SMS messages or emails.
- Enable Google Play Protect on Android devices.
- Be careful with permissions granted to downloaded apps.
- Regularly update devices, operating systems, and applications.
The researchers also noted the possibility of stealthy transfer of received digital payment (Unified Payments Interface) verification messages to attacker-operated devices to compromise payment systems within the campaign, as observed in other attacks.
