code and malware
Researchers at K7 Security Labs have uncovered a new SpyMax Android RAT that targets Telegram users and does not require rooting the target device.
SpyMax RAT is able to collect personal information from the infected device and completely control the victims’ devices; the infection is carried out through a phishing campaign, offering to download the malicious application “ready.apk”.
In this case, ready.apk pretends to be Telegram, and the icon used is completely identical to the original one. Once installed, RAT prompts the user to enable the accessibility service for the application.
With the necessary permissions, the APK acts as a Trojan with keylogger capabilities. It creates a directory “Config/sys/apps/log” in the external device storage and the logs are saved in the file “log-yyyy-mm-dd.log” in the created directory.
In addition to the standard target set, the malware collects information about the location: altitude, latitude, longitude, accuracy, and even the speed of the device.
SpyMax then aggregates all the data and compresses it (using the gZIPOutputStream API) before sending it to the C2 server. The RAT communicates with the C2 server IP 154.213.65[.]28 via port: 7771, masking the connection.
Once a connection is established, the malware sends gzip-compressed data to C2, which in turn responds by sending a series of compressed data that, when decompressed, represent system commands and an APK payload.
Researchers from K7 Labs recommend using antivirus tools to protect against this type of threat, as well as using reliable platforms for downloading applications (as practice shows, this is not a panacea).
Indicators of compromise and a detailed technical analysis are in the report.
https://mega.nz/folder/CJ9RDSDK#lAAWmCmCIexXJl_jLHlV4Q
