Malicious Android Spyware Employing RAT and Capturing Device Info and User Credentials



The SonicWall Capture Labs threat research team has been actively tracking malware campaigns deploying a formidable Android Remote Access Trojan (RAT). We encountered a variant of that malware equipped with extensive features such as keylogging, theft of sensitive device information and the ability to bypass Google Authenticator, even loading web pages within the application. These functionalities provide attackers with the means to achieve unauthorized access to the victim’s device.

Infection Cycle

This malware utilizes a tactic called icon masquerading, wherein it camouflages itself by adopting the appearance of icons from well-known and legitimate applications.

Figure 1: Malware utilizing well-known application icons

After installation, the malware prompts the victim to activate the Accessibility Service on the targeted device. If the victim grants permission, the malware exploits the Accessibility Service to carry out malicious activities covertly, without the user’s awareness.

Figure 2: Prompt users to activate the accessibility service

Here, the malware author is asking the user to grant device admin permissions.

Figure 3: Device admin code snippet

Accessibility Services make it hard for users to remove the app or install other apps. It can click ‘install’ without needing any input from the user.

Figure 4: Ease of installing other applications granted by Accessibility Services

We initiated the activity responsible for presenting Google Translator and Google News on WebView. Upon launching, the application opens, showcasing the Google account web pages. We noticed the webpage appearing within the malicious application.

Figure 5: Displaying webpage within the malicious application

The spyware sends the gathered sensitive information to a control server when directed by the attacker through the Accessibility Service. The host and port number are encrypted using Base64.

Figure 6: Network connection

The compromised device establishes a connection with the Command and Control (C&C) server and receives various commands to execute operations, as shown in the image below.

Figure 7: C&C server

Google Authenticator creates two-factor authentication (2FA), enhancing security for accounts by adding a second verification step during sign-in. This malicious software bypasses extra security measures by using Accessibility Services to obtain 2FA codes.

Figure 8: Stealing Google authenticator code

It sends messages to the server based on the received commands.

Figure 9: Sends SMS

The code displayed in the image is designed to capture screenshots from the compromised device and subsequently transmit the collected screenshots to the Command and Control (C&C) server.

Figure 10: Forwarding all screenshots to the C&C server

This malware transmits information about the victim’s current location to its remote Command and Control (C&C) server.

Figure 11: Retrieving location info

This code extracts information about all the installed package names.

Figure 12: Reading installed packages.

The code handles a log file on the device’s external storage. It changes certain parts of the log file name and provides all content from the log file.

Figure 13: Log file created for activity monitoring

It establishes a database within web data to store sensitive personal information and credit card details of the targeted individual.

Figure 14: Storing information within a database

This spyware can steal social app credentials by checking if either the "com.facebook.katana" or "com.facebook.lite" app is installed on the device. If found, it uses an overlay attack to display a fake login page, tricking users and stealing their credentials.

Figure 15: Stealing social app credentials

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP with RTDMI.


  • 62f027c0a8f856ef30ceba8432cd80a9462e03cf7809ea91fcbac60427f6a1bd
  • 06629bab34a4218262339659590656408c22f33411201d73977fc69700a4e68a
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.