Categories: Uncategorized

Android Malware Masquerades as Chrome Browser Reads SMS & Intercepts Emails

Threat actors primarily target remote access and control of victims’ devices by employing deceptive tactics. They often create fake apps or pose as legitimate ones to trick users into downloading malicious software, compromising the targeted devices’ security and privacy. 

This approach allows them to gain unauthorized access, potentially steal sensitive information, or carry out other malicious activities. 

Cybersecurity researchers at K7 Security Labs recently identified Rusty Droid RAT, a stealthy Android malware masquerading as a Chrome browser to read SMS and intercept emails.

The malware masquerades as ‘Chrome’

Technical Analysis

Rusty Droid persists by repeatedly prompting the user to enable Accessibility Service, concealing its icon from the app drawer once granted.

Accessibility permission request (Source – K7 Security Labs)

Before linking to C2, the Rusty Droid malware collects the following data:

  • Contact info
  • Accounts
  • App list

With accessibility permissions, it decrypts ‘LqL.json’ to an executable DEX file and deploys ‘settings.xml’ with the C2 server IP and bot ID.

This Trojan abuses the Android Accessibility Service as a keylogger, stealing victims’ data like passwords, credit card details, and messages and sending it to cybercriminals for identity theft and fraud, with a connection to C2 server “176.111.174[.]191.

Malicious C2 Panel (Source – K7 Security Labs)

This malware can collect keystrokes during user interaction with those applications to steal login information, including cryptocurrency wallet seed phrases, by connecting to a control server to get a list of targeted programs.

Apps Targeted

Here below, we have mentioned all the targeted applications:

  • com.android.vending
  • ar.bapro
  • ar.com.santander.rio.mbanking
  • ar.macro
  • at.spardat.bcrmobile
  • at.volksbank.volksbankmobile
  • au.com.amp.myportfolio.android
  • au.com.bankwest.mobile
  • au.com.cua.mb
  • au.com.ingdirect.android
  • au.com.macquarie.banking
  • au.com.mebank.banking
  • au.com.newcastlepermanent
  • au.com.suncorp.SuncorpBank
  • com.BOQSecure
  • com.BankAlBilad
  • com.CredemMobile
  • com.EurobankEFG
  • com.IngDirectAndroid
  • com.a2a.android.burgan
  • com.abnamro.nl.mobile.payments
  • com.adcb.bank
  • com.advantage.RaiffeisenBank
  • com.akbank.android.apps.akbank_direkt
  • com.anz.android.gomoney
  • com.aol.mobile.aolapp   com.appfactory.tmb
  • com.bancodebogota.bancamovil
  • com.bancomer.mbanking
  • com.bancsabadell.wallet
  • com.bankaustria.android.olb
  • com.bankinter.launcher
  • com.bankinter.portugal.bmb
  • com.bankofqueensland.boq
  • com.barclays.android.barclaysmobilebanking
  • com.barclays.ke.mobile.android.ui
  • com.bbva.bbvacontigo
  • com.bbva.netcash
  • com.bbva.nxt_peru
  • com.bcp.bank.bcp
  • com.bendigobank.mobile
  • com.boubyanapp.boubyan.bank
  • com.boursorama.android.clients
  • com.kutxabank.android
  • com.kuveytturk.mobil
  • com.latuabancaperandroid
  • com.caisseepargne.android.mobilebanking
  • com.cajasur.android
  • com.cbd.mobile
  • com.cbq.CBMobile
  • com.chase.sig.android
  • com.cibc.android.mobi
  • com.cic_prod.bad
  • com.citi.citimobile
  • com.citibanamex.banamexmobile
  • com.citibank.mobile.citiuaePAT
  • com.clairmail.fth   com.cm_prod.bad
  • com.coinbase.android
  • com.comarch.mobile.banking.bgzbnpparibas.biznes
  • com.comarch.security.mobilebanking
  • com.commbank.netbank
  • com.csam.icici.bank.imobile
  • com.db.mm.norisbank
  • com.db.mobilebanking
  • com.db.pbc.miabanca
  • com.db.pbc.mibanco
  • com.dib.app
  • com.discoverfinancial.mobile
  • com.finansbank.mobile.cepsube
  • com.finanteq.finance.ca
  • com.fullsix.android.labanquepostale.accountaccess
  • com.fusion.banking
  • com.fusion.beyondbank
  • com.garanti.cepsubesi
  • com.getingroup.mobilebanking
  • com.greater.Greater
  • com.grppl.android.shell.BOS
  • com.grppl.android.shell.CMBlloydsTSB73
  • com.grppl.android.shell.halifax
  • com.htsu.hsbcpersonalbanking
  • com.imaginbank.app
  • com.infonow.bofa
  • com.ingbanktr.ingmobil
  • com.isis_papyrus.raiffeisen_pay_eyewdg
  • com.itau.empresas   com.kasikorn.retail.mbanking.wap
  • com.konylabs.capitalone
  • com.konylabs.cbplpat
  • Com.magiclick.odeabank
  • com.moneybookers.skrillpayments
  • com.mobileloft.alpha.droid

IOCs

IOCs (Source – K7 Security Labs)

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Try a free trial to ensure 100% security.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Hack The box “Ghost” Challenge Cracked – A Detailed Technical Exploit

Cybersecurity researcher "0xdf" has cracked the "Ghost" challenge on Hack The Box (HTB), a premier…

6 hours ago

Sec-Gemini v1 – Google’s New AI Model for Cybersecurity Threat Intelligence

Google has unveiled Sec-Gemini v1, an AI model designed to redefine cybersecurity operations by empowering…

6 hours ago

U.S. Secures Extradition of Rydox Cybercrime Marketplace Admins from Kosovo in Major International Operation

The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…

11 hours ago

Ivanti Fully Patched Connect Secure RCE Vulnerability That Actively Exploited in the Wild

Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…

2 days ago

Beware! Weaponized Job Recruitment Emails Spreading BeaverTail and Tropidoor Malware

A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…

2 days ago

EncryptHub Ransomware Uncovered Through ChatGPT Use and OPSEC Failures

EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…

2 days ago