RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft

Dec. 21, 2025, 7:01 p.m.

Description

A sophisticated mobile fraud operation has been uncovered, distributing a malicious 'RTO Challan / e-Challan' Android application via WhatsApp. The APK uses advanced obfuscation and hidden installation techniques to establish persistent control over victims' devices. It creates a custom VPN tunnel to mask network activity and harvests extensive personal, device, and financial information. The malware intercepts OTPs, manipulates call behavior, and presents a fraudulent payment interface to steal banking credentials. Analysis of the C2 infrastructure revealed obfuscated Base64-encoded URLs pointing to malicious domains. The campaign combines mobile malware, financial fraud, and social engineering, posing a high-risk threat capable of severe monetary losses and large-scale exposure of sensitive personal data.

External References

https://otx.alienvault.com/pulse/693be9cb223e15fed06b64de
https://www.cyfirma.com/research/rto-challan-fraud-a-technical-report-on-apk-based-financial-and-identity-theft
Tags
social engineering
android
whatsapp
financial fraud
apk
identity theft
otp interception
2025-12-12
e-challan
rto challan / e-challan
vpn abuse

Date

  • Created: Dec. 12, 2025, 10:09 a.m.
  • Published: Dec. 12, 2025, 10:09 a.m.
  • Modified: Dec. 21, 2025, 7:01 p.m.

Indicators

  • 22cf70a0dd866a4f5addd5d339fad3894a4ebb3e97d597fd7dac9b08899052fb
  • 9209fc088cdcd7da0161cabf5b9384c2ca790214413ffb437452bcc865c58452
Download all indicators here!

Attack Patterns

  • RTO Challan / e-Challan

Additional Informations

  • Finance
  • jsonserv.biz
  • jsonserv.xyz
  • India
  • British Indian Ocean Territory