Android Brazilian banker with Spyware, Phishing and Ransomware components


SonicWall Capture Labs Threats Research team observed an Android banking malware that has additional components – Spyware, Ransomware, RAT (Remote Access Trojan). Even though this malware appears to be a work in progress, it is still potent enough to cause devastative effects if it infects the right individuals. Currently this malware is targeting Brazilian banks and one of its functionality centers towards stealing Credit Card details of its victims.

Infection Cycle

Upon installation it uses the icon and application name of Google Protect, based on this there is a possibility that this malicious application spreads under the guise of Google Play Protect:

Once executed it displays a screen which states “Activate Protection”, upon clicking the button this malware takes us to the home screen and its icon vanishes from the app drawer. But the malware continues to execute in the background as shown below, this is a typical behavior exhibited by a number of malicious samples:

Initial Network Communication

The malware communicates with the server starting by registering itself once it infects the device:

Sensitive information shared by the malware with the server includes:

  • Phone number
  • Gmail account email
  • Device manufacturer
  • Device model

The malware then upgrades the protocol from HTTP to WebSocket thereby using Websockets as a medium to communicate further:

Soon we started observing commands being sent by the server and the malware’s response to these commands, both were carried out via WebSockets.

Command Structure

The WebSocket direction incoming refers to the commands sent by the server in the variable extra and the direction outgoing refers to the malware’s response to said commands. We have highlighted few interesting ones that we observed during our analysis:

Incoming command – info_list – sends information about the device:

Incoming Command – callLog – sends the call log from the infected device:

Incoming command – contacts – sends contacts stored on the infected device:

Incoming command – ls followed by path of the directory  – sends contents of the directory:

Incoming command – dl followed by path to a file  – sends a particular file to the attacker’s server. In the below example an image file was ex-filtrated from our infected device:

The following image shows a glimpse of hard-coded commands present in the code:

Below is a complete list of commands supported by this malware:

Apart from the commands above there are traces in the code that indicate this malware is capable of the following:

  • Extract GPS related data from the device
  • Record audio from the microphone and save the recordings locally (which can later be ex-filtrated)

Considering that this malware contains abilities to receive and execute commands and the fact that one of the commands is to DDOS a target, there is a possibility that this malware can be operated as a botnet. Additionally based on the commands above this malware can act as a Remote Access Trojan (RAT), perform phishing and extract sensitive information like a spyware.

Banking Targets

This malware contains a list of hard-coded Brazilian banking app names. Additionally there are a number of strings in Portuguese making it apparent that this malware is targeted towards Brazilian users:

If an app from this list is opened, for instance, the malware shows a notification stating – “For your security, we ask that you validate your in-app access data from the Santander Bank”:

Following this it asks the victim for their Credit Card details:

We suspect this information to be saved on h[xx]ps://

Ransomware Component

The malware also contains a ransomware component, but this did not work for us during our time analyzing this threat. There is a class named RansoActivity and within this class is present a typical ransomware message which translates to:

  • All your files have been encrypted and if payment is not made in BTC within the stipulated period all your files will be deleted permanently.


Additional Notes

  • VirustotalRelations can be used to understand if a malware belongs to a larger campaign. We tried to see possible connections of few hardcoded URL’s present in this malware but it did not give us further leads:

  • The developer name for this app is Ervadark Socity, we could not find anything else related to this developer
  • The malware gets updated by downloading an update and storing it in the /Download/ folder as update.apk

Closing Thoughts

Overall it is difficult to categorize this malware considering its list of different functionalities. This malware is capable of targeting users of Brazilian banks and attempt to steal their Credit Card details by showing them phishing pages. Additionally this malware can execute commands sent by an attacker and spy on its victims and finally this malware also has a ransomware (which did not work for us) and DDOS components.

Giving a specific category to this malware is a tough ask !


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AndroidOS.PhishRansom.LK (Trojan)
  • GAV: AndroidOS.PhishRansom.BK (Trojan)

Details of the sample analyzed:

  • MD5: 78c9bfea25843a0274c38086f50e8b1c
  • Package name:
  • Application name: Google Protect
  • Developer name: Ervadark Socity

Banking targets of this application:



Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.