Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App

Glitch SPY: An Emerging Android RAT Distributed Through a Fake Polish Rental App

Keypoints

  • Cyble identified Glitch SPY as an emerging Android RAT/builder platform seen on an exposed C&C admin panel.
  • The malware was distributed through a fake Polish rental website, tutaj-dompl[.]com, targeting users in Poland or Polish expats.
  • The downloaded app was the Brokewell Android Loader, which acted as a dropper to install the Glitch SPY payload.
  • Glitch SPY heavily abuses Android Accessibility Service to grant permissions, interact with the UI, extract screen content, and automate device control.
  • The malware supports extensive surveillance and theft, including screen streaming, screenshots, keylogging, SMS/contact/call log collection, camera and microphone capture, file access, and location tracking.
  • It includes a crypto-clipper that swaps copied wallet addresses across ETH/EVM, TRON, Bitcoin legacy, and Bech32 formats with attacker-controlled addresses.
  • The Builder module lets operators customize payloads with app name, package ID, icon, decoy URL, and optional Telegram alerts, showing a reusable campaign framework.

MITRE Techniques

  • [T1660] Phishing – The malware was distributed through a deceptive rental-themed website designed to lure victims into downloading the APK. [‘distributed via phishing sites’]
  • [T1624.001] Event Triggered Execution: Broadcast Receivers – The malware implemented a broadcast receiver to support screen capturing and related functions. [‘implemented a broadcast receiver for screen capturing’]
  • [T1629.001] Impair Defenses: Prevent Application Removal – The malware includes logic to stop or interrupt uninstall attempts. [‘Prevent uninstalling application’]
  • [T1628.001] Hide Artifacts: Suppress Application Icon – It hides its launcher icon to reduce visibility on the infected device. [‘Glitch SPY hides its icon’]
  • [T1655.001] Masquerading: Match Legitimate Name or Location – It disguises itself as a legitimate Polish rental application to appear benign. [‘masquerades as a Polish rental application’]
  • [T1516] Input Injection – It performs clicks, swipes, gestures, and text entry to control the device and approve actions. [‘Clicks, swipes, gestures, and enter text into edit fields’]
  • [T1453] Abuse Accessibility Features – It abuses Android Accessibility Service to observe UI elements, extract text, and automate permissions. [‘abuses Accessibility service’]
  • [T1417.001] Input Capture: Keylogging – It includes a keylogging module to capture user keystrokes. [‘Glitch SPY includes a Keylogging module’]
  • [T1418] Software Discovery – It enumerates installed applications on the victim device. [‘collects installed applications’]
  • [T1420] File and Directory Discovery – It lists files and folders from external storage and specified paths. [‘can enumerate files from external storage’]
  • [T1430] Location Tracking – It collects and reports the device location. [‘can collect device location’]
  • [T1426] System Information Discovery – It gathers device metadata and system information. [‘can collect device information’]
  • [T1532] Archive Collected Data – It compresses folders into ZIP archives before exfiltration. [‘compresses the external storage directories as a zip file before sending’]
  • [T1513] Screen Capture – It captures screenshots and live screen frames from the infected device. [‘captures screen content’]
  • [T1429] Audio Capture – It records audio from the infected device through microphone access. [‘can capture Audio’]
  • [T1414] Clipboard Data – It monitors clipboard activity to detect copied wallet addresses. [‘Malware can monitor Clipboard content’]
  • [T1533] Data from Local System – It collects files, including encrypted files, from local storage. [‘Malware collects encrypted files from external storage’]
  • [T1636.003] Protected User Data: Contact List – It extracts the victim’s contact information. [‘Malware collects contact details’]
  • [T1636.004] Protected User Data: SMS Messages – It steals SMS messages from the device. [‘Glitch SPY collects SMS data’]
  • [T1636.005] Protected User Data: Accounts – It collects account information configured on the Android device. [‘Malware collects Account information’]
  • [T1636.002] Protected User Data: Call Log – It gathers call history from the device. [‘Glitch SPY collects Call logs’]
  • [T1437] Application Layer Protocol – It communicates with the C&C over a WebSocket-based channel. [‘Glitch SPY communicates with C2 over TCP’]
  • [T1646] Exfiltration Over C2 Channel – It sends stolen data back to the command-and-control server. [‘Glitch SPY exfiltrates data to the C&C server’]
  • [T1471] Data Encrypted for Impact – It encrypts files on the device and creates .enc files. [‘Malware encrypts all the files present on the device with the .enc extension’]
  • [T1662] Data Destruction – It removes plaintext files after encryption, worsening recovery. [‘Glitch SPY deletes all plain-text files after encryption’]

Indicators of Compromise

  • [URL] Fake rental-app distribution link – hxxps://tutaj-dompl[.]com/Tutajdom.apk
  • [Domain] Command-and-control infrastructure – sportypointsrewards[.]com, gich[.]etherraffleexchange[.]us
  • [File Hash (SHA-256)] Glitch SPY and loader samples – 80af5e921cf8a3052fe4483bb2eb15953590e72ed003ac61c0b9135575c32075, d439475bf09af7b474cdba2c19e136a1dd38e62b088537445ac3c8e4c2d3a8b1
  • [APK / File Name] Malicious download and loader package – Tutajdom.apk, Brokewell Android Loader


Read more: https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/