Rapid Response: Zimperium’s Zero-Day Coverage of GhostBat RAT Campaign
Cyble’s recent research sheds light on GhostBat RAT, a resurgence of Android malware disguised as Regional Transport Office (RTO) apps in India, targeting users via socially engineered links and phishing flows. GhostBat leverages WhatsApp messages, SMS with shortened URLs, GitHub-hosted APKs, and compromised web pages to lure victims into installing malicious applications that harvest banking credentials, SMS, and device identifiers.
Once installed, GhostBat presents fake update prompts and overlay pages mimicking legitimate services (for example, mParivahan), aiming to trick users into granting sensitive permissions such as SMS access, overlay control, and more. The malware’s modular architecture further includes obfuscation, multi-stage dropper logic, and native libraries to avoid detection and bypass analysis.
The GhostBat campaign is significant for multiple reasons:
- It shows how attacker focus is returning to localized impersonation campaigns using high-trust apps (e.g. RTO portals).
- The distribution vectors combine social engineering (WhatsApp, SMS) with hosted APKs, making the chain from message to installation faster and harder to stop.
- The malware is leveraging native code and dynamic loading to evade static scanning and heuristic-based defenses.
Zimperium Coverage:
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) detect the IOCs reported in the original research with high accuracy using our on-device dynamic detection engine. Moreover, on September 29th, 2025 -before public disclosure- we detected one instance of this malware in one zDefend device. This shows how the evolution of our models enable us to catch variants and unknown malware samples in a zero-day fashion.
As GhostBat demonstrates, Android malware campaigns are increasingly combining trusted social vectors with advanced evasion techniques. Firms need mobile security that can intercept threats on-device, even when attackers try to mask payloads or use multi-step delivery chains.
For full technical details, see Cyble’s report.
