Android Remote Access Trojan Equipped to Harvest Credentials



The SonicWall Capture Labs threat research team has been regularly sharing information about malware targeting Android devices. We’ve encountered similar RAT samples before, but this one includes extra commands and phishing attacks designed to harvest credentials.

This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices. This malicious app uses any of the following icons:


Figure 1: The app icon used by the malware.

Figure 2: Installed malicious app

Infection Cycle

After the malicious app is installed on the victim’s device, it prompts the victim to enable two permissions:

  • Accessibility Service
  • Device Admin Permission

By requesting these permissions, the malicious app aims to gain control over the victim’s device, potentially allowing it to carry out harmful actions or steal sensitive information without the user’s awareness or consent.

Figure 3: Prompt for accessibility permission

Figure 4: Device admin activation

The malicious app establishes a connection with the Command-and-Control server to receive instructions and execute specific tasks accordingly.

Here are some of the commands received from the malware’s Command-and-Control (C&C) server:

Command Description
dmpsms Read Messages
dmpcall Read Call logs
dmpcon Device Contact list
getpackages Installed package name
changewall Change device wallpaper
toasttext Notification data
opweb Open URLs on web browser for phishing
vibratedev Vibrate device
sendsms Send messages
tont Turn on the camera flashlight
tofft Turn off the camera flashlight


The resource file contains the URL of the C&C server, but it was not active during the analysis.

Figure 5: C&C server

Here you see it receiving commands from the C&C server to access a specific URL in the browser to harvest credentials.

Figure 6: Browser to open specific URL

Some malicious HTML files related to well-known Android applications are in the ‘asset\website’ folder, as shown in the figure below:

Figure 7: Fraudulent HTML Pages

Figure 8: Instances of fraudulent HTML page -1.

Figure 9: Instances of fraudulent HTML page -2.

In these HTML files, the attacker prompts the victim to enter their user ID and password into the input fields.

Figure 10: Retrieves user input

After taking credentials using JavaScript, it collects and shares all the user information to the ‘showTt’ function.

Figure 11: Collect user credential

It retrieves all phone numbers stored on the victim’s device.

Figure 12: Fetching contact List

It attempts to change the device’s wallpaper to a specific resource if the ‘str’ parameter matches the decrypted value, such as 0, 1, or 2.

Figure 13: Changing the Device Wallpaper

It retrieves information about installed apps on the victim’s device.

Figure 14: Collecting installed package info

The below code snippet utilizes the “CameraManager” to toggle the flashlight of the victim’s device’s camera to either on or off.

Figure 15: Camera flashlight on-off

It sends a message to a number based on input received from the C&C server.

Figure 16: Sending a message from the victim’s device

We also noticed that certain malicious files have been recently uploaded to malware-sharing platforms like VirusTotal.

Figure 17: Latest sample found on VT

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOCs)











Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.