[MART] - Daily Diary #570 - Meet Dracarys Android Malware

ctas-mat at appgate.com ctas-mat at appgate.com
Tue Aug 9 21:05:05 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

08/09/2022 - Diary entry #570:

This week a new Android spyware was disclosed. Named Dracarys, the trojan was disclosed using trojanized versions of social media and instant messaging apps, like Signal, Youtube, Telegram, and Whatsapp. Dracarys is believed to be developed by the Advanced Persistent Threat (APT) group named Bitter, active since 2016 in New Zealand, India, Pakistan, and the United Kingdom.

Similar to most Android spywares covered in our Daily Diaries, Dracarys abuses the Android accessibility permissions to grant itself more permissions, capture the device screen, and remotely control the device. After the initial infection, Dracarys connects to a firebase C2 server, allowing a remote attacker to retrieve sensitive data from the device (contact list, SMS, installed applications, geolocation), and capture the device screen, camera, and microphone.

All the applications chosen to create a trojanized version already asked for sensitive permissions, like accessing call logs, contacts, modifying files, reading SMS, retrieving geolocation, taking pictures, and recording, allowing the malware to request those without raising suspicious.

Dracarys trojanized apps were all distributed through phishing pages, asking the user to download and install them from unofficial sources. Users need to be careful when downloading apps from external sources, preferably relying only on the official stores to install social media and other popular applications. Users also need to be aware of giving accessibility permission to apps, as it allows full control over the installed device.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Manager, MART

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220809/94bbbcc0/attachment.htm>

More information about the MART mailing list