{
  "name": "RTO Challan Fraud: A Technical Report on APK-Based Financial and Identity Theft",
  "slug": "rto-challan-fraud-a-technical-report-on-apk-based-financial-and-identity-theft",
  "description": "A sophisticated mobile fraud operation has been uncovered, distributing a malicious 'RTO Challan / e-Challan' Android application via WhatsApp. The APK uses advanced obfuscation and hidden installation techniques to establish persistent control over victims' devices. It creates a custom VPN tunnel to mask network activity and harvests extensive personal, device, and financial information. The malware intercepts OTPs, manipulates call behavior, and presents a fraudulent payment interface to steal banking credentials. Analysis of the C2 infrastructure revealed obfuscated Base64-encoded URLs pointing to malicious domains. The campaign combines mobile malware, financial fraud, and social engineering, posing a high-risk threat capable of severe monetary losses and large-scale exposure of sensitive personal data.",
  "published": "2025-12-12T09:09:15+00:00",
  "created_at": "2025-12-12T09:09:15+00:00",
  "modified_at": "2025-12-21T18:01:12+00:00",
  "created_at_opencti": "2025-12-12T09:09:15+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-12-12",
    "android",
    "apk",
    "e-challan",
    "financial fraud",
    "identity theft",
    "otp interception",
    "rto challan / e-challan",
    "social engineering",
    "vpn abuse",
    "whatsapp"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "22cf70a0dd866a4f5addd5d339fad3894a4ebb3e97d597fd7dac9b08899052fb"
      },
      {
        "id": "",
        "name": "9209fc088cdcd7da0161cabf5b9384c2ca790214413ffb437452bcc865c58452"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:334a5fb6663494a9",
        "name": "RTO Challan / e-Challan",
        "slug": "rto-challan-e-challan"
      }
    ],
    "attack_patterns": [
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "jsonserv.biz"
      },
      {
        "id": "",
        "name": "jsonserv.xyz"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/693be9cb223e15fed06b64de",
    "https://www.cyfirma.com/research/rto-challan-fraud-a-technical-report-on-apk-based-financial-and-identity-theft"
  ]
}