Threat Research

Andromeda: The latest Brazilian DTO malware

Securonix

ThreatFabric analyzes Andromeda, a newly identified Android banking malware developed in Brazil using the B4A framework, targeting local financial services including Pix. The article outlines capabilities such as overlay attacks, SMS monitoring, PII exfiltration, and remote access via WebRTC, with potential links to GoatRAT and the SickoDevz group. #Andromeda #GoatRAT #SickoDevz #Pix #Brazil #AmexTroll

Keypoints

  • Andromeda is an in-development Android banking malware built with the Basic For Android (B4A) framework and focused on Brazil.
  • It supports overlay attacks and SMS monitoring to harvest credentials and One-Time Passwords (OTPs), enabling PII exfiltration.
  • Remote Access sessions are a core feature, implemented via a WebRTC-based channel (Janus) for device take-over capabilities.
  • Threat actors potentially linked to SickoDevz and GoatRAT (FantasyMW/CriminalBot) are suspected due to package naming and historical activity in Brazil.
  • Andromeda uses RESTful API endpoints and WebSocket-based commands for C2 communication, e.g., restapi?decision= and real-time commands.
  • The malware leverages the B4A boilerplate or similar code to manage overlay layouts and accessibility actions, resembling AmexTroll in structure but distinct in code.
  • ThreatFabric notes multiple versions appeared in quick succession, indicating active development and ongoing feature expansion.

MITRE Techniques

  • [T1021] Remote Services – Andromeda creates Remote Access sessions to the infected device using WebRTC (Janus) for control. “The other main feature of Andromeda is the capability of creating Remote Access sessions to the infected device.”
  • [T1071.001] Web Protocols – C2 communications run over RESTful API endpoints and WebSocket channels to receive commands. “The Bot communicates with the server using RESTful API using the following endpoints called with the URL format restapi?decision=<cmd>:” and “The commands are received over WebSocket communication.”
  • [T1056.003] Input Capture – Overlay and SMS monitoring are used to capture user input and sensitive data such as PII and OTPs. “overlay attacks and monitor SMS messages received and sent by the victim.”

Indicators of Compromise

  • [Package Name] context – admin5.testing.brother, app.sickpo.newww, sicko.mybott.neww, and sicko.newbot.brabo
  • [SHA256] context – c7f19eae9ff56d59c8d9139fcb29fe93a7bad4b6ed66fe82814271465ebbd852, 7091dce65e76ec22a5b3f28edffda92ab7e6691231a003b35c468b7bb6f51826, 6b8c71200c7907ad739bd3587bd922cbd50dfebf97a7c235f3d945213732fba7, d264c39860685fefd99417fe43c74916bcb4f1af3a09e9c0bf200a490f99a46e
  • [IP Address] context – 5.181.80.138:2222, 5.181.80.10:4444, 5.181.80.163:4444, 5.181.80.146:2023
  • [Domain] context – myvnc.andromedafg9482358dggkj[.]com, myvnc.andromedafe34fg09ggskesicko485[.]com, myvnc.dumbdroidmyassbig0fsecbniggga[.]com

Read more: https://www.threatfabric.com/blogs/andromeda-the-latest-brazilian-dto-malware-0