A potent keylogger on Github


SonicWall Threats Research team came across an interesting Tweet that mentions about a repository on Github. This repository is named as Hakistan and it boasts of hacking related tools. One tool among the list of tools is a keylogger named Hakistan keylogger which does not appear to be created for malicious purposes.


Application details


Interestingly, the application name for this app is Google Service and it has a relevant icon as well. Clearly this keylogger application is trying to masquerade as a legitimate application thereby violating Google Play policies.


Some of the services and receivers in this app request for dangerous permissions like:



Once execution begins, as expected the application requests the victim to grant several permissions and access:

One the required permissions are granted the keylogger keeps running in the background and monitors the victim’s keystrokes. The keystrokes are stored in a file locally as shown:


Additional Features

This keylogger logs more than just keystrokes. Some additional data stolen by this keylogger is as shown below:

Captures SMS on the device


Monitors incoming SMS


Forward SMS present on the device


Captures system information


Clients receive data about vicitims via email messages where the ‘from’ is keylogger@hakistan.org:


In case of the current sample the to address is base64 encoded, which decodes to dashdashpass7@gmail.com


These findings go in line with what is advertised about this keylogger:


Research related tools on Github are dime-a-dozen, if they are being used for research purpose most of them have a disclaimer that states their purpose. In this case the fact that the application is being saved as Google Services with believable icon makes it look a bit suspicious.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOSHakis.KLG (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.