Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,175
- Points
- 113
K7 Security Labs researchers have uncovered a new SpyMax Android RAT that targets Telegram users and does not require rooting the target device.
SpyMax RAT is able to collect personal information from an infected device and fully control the devices of victims. Infection is implemented through a phishing campaign, offering to download the malicious application "ready. apk".
At the same time, ready. apk pretends to be Telegram, and the icon used is completely identical to the original one. Once installed, RAT on prompts the user to enable the accessibility service for the app.
If you have the necessary permissions, the APK acts as a Trojan with keylogger capabilities. It creates the "Config/sys/apps/log" directory in the external device storage, and logs are saved in the "log-yyyy-mm-dd.log" file in the created directory.
In addition to the standard target set, the malware collects information about the device's location: altitude, latitude, longitude, accuracy, and even speed.
After that, SpyMax combines all the data and compresses it (using the GZIPOutputStream API) before sending it to the C2 server. RAT communicates with the C2 server IP 154.213.65 [.] 28 via port: 7771, masking the connection.
Once the connection is established, the malware sends gzip-compressed data to C2, which in turn responds by sending a series of compressed data representing system commands and an APK payload after unpacking.
Researchers from K7 Labs recommend using antivirus tools to protect against such threats, as well as using reliable platforms for downloading applications (as practice shows, this is not a panacea).
Compromise indicators and a detailed technical analysis can be found in the report: https://labs.k7computing.com/index.php/spymax-an-android-rat-targets-telegram-users
SpyMax RAT is able to collect personal information from an infected device and fully control the devices of victims. Infection is implemented through a phishing campaign, offering to download the malicious application "ready. apk".
At the same time, ready. apk pretends to be Telegram, and the icon used is completely identical to the original one. Once installed, RAT on prompts the user to enable the accessibility service for the app.
If you have the necessary permissions, the APK acts as a Trojan with keylogger capabilities. It creates the "Config/sys/apps/log" directory in the external device storage, and logs are saved in the "log-yyyy-mm-dd.log" file in the created directory.
In addition to the standard target set, the malware collects information about the device's location: altitude, latitude, longitude, accuracy, and even speed.
After that, SpyMax combines all the data and compresses it (using the GZIPOutputStream API) before sending it to the C2 server. RAT communicates with the C2 server IP 154.213.65 [.] 28 via port: 7771, masking the connection.
Once the connection is established, the malware sends gzip-compressed data to C2, which in turn responds by sending a series of compressed data representing system commands and an APK payload after unpacking.
Researchers from K7 Labs recommend using antivirus tools to protect against such threats, as well as using reliable platforms for downloading applications (as practice shows, this is not a panacea).
Compromise indicators and a detailed technical analysis can be found in the report: https://labs.k7computing.com/index.php/spymax-an-android-rat-targets-telegram-users
