Inside a Multi-Stage Android Malware Campaign Leveraging RTO-Themed Social Engineering

This report describes an active, large-scale Android malware campaign in India that impersonates government RTO services via WhatsApp-distributed APKs. The attack uses a modular three-stage architecture: Stage 1 acts as a dropper and performs cryptomining, Stage 2 establishes persistence and initializes a Firebase-based backend while continuing mining, and Stage 3 presents fake government UIs to harvest PII, financial credentials, SMS/OTP and device metadata. The backend served as both a data repository and C2, enabling live monitoring and remote configuration; analysis of the backend records indicates roughly 7,400 infected devices and comprehensive theft of identity and financial information.