Threat Research

SpyMax: Android RAT Targeting Telegram Users

K7computing

SpyMax is an Android RAT targeting Telegram users, delivered via a phishing page that impersonates the Telegram app and does not require root access. It collects keystrokes, location data, and other private information, compresses it, and sends it to a remote C2 server. #SpyMax #Telegram #K7Labs #telegroms[.]icu

Keypoints

  • SpyMax is an Android RAT that does not require the targeted device to be rooted, easing deployment.
  • Phishing campaign impersonates the Telegram app and uses a malicious ready.apk downloaded from a tainted host.
  • Once installed, the app masquerades as Telegram and persistently requests Accessibility Service access.
  • The malware acts as a Trojan with Keylogger capabilities and saves keystroke logs to external storage in log-YYYY-MM-DD.log files.
  • It gathers location data (altitude, latitude, longitude, precision, speed) from the device.
  • Collected data is compressed with gzip and transmitted to a C2 server over a TCP connection to a non-standard port.
  • The C2 workflow includes receiving commands and an APK payload, indicating full remote control and update capabilities.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The malware compresses the collected data using the gZIPOutputStream API before sending it to the C2 server. Quote: ‘compresses (using gZIPOutputStream API) them before forwarding it to the C2 server.’
  • [T1083] System Information Discovery – The malware collects location information (altitude, latitude, longitude, precision and speed) from the device. Quote: ‘collects location information like altitude, latitude, longitude, precision and even the speed at which the device is moving.’
  • [T1005] Data from Local System – It gathers personal/private information from the infected device without consent. Quote: ‘gathers personal/private information from the infected device without consent from the user.’
  • [T1056.001] Keylogging – The APK acts as a Trojan with Keylogger capabilities. Quote: ‘This APK acts as a Trojan with Keylogger capabilities.’
  • [T1566.001] Phishing – A phishing campaign targets Telegram users with a fake Telegram app page. Quote: ‘phishing campaign targeting Telegram users.’
  • [T1041] Exfiltration Over C2 Channel – The gzip-compressed data is sent to the C2 server after establishing the connection. Quote: ‘sends the gzip compressed data to the C2 as evident from the network packet’s header.’
  • [T1571] Non-Standard Port – The C2 communication uses a non-standard port (7771). Quote: ‘The RAT contacts the C2 server IP 154.213.65[.]28 via the port: 7771.’

Indicators of Compromise

  • [Package Name] reputation.printer.garmin – 9C42A99693A2D68D7A19D7F090BD2977 – Trojan (005a5d9c1)
  • [URL] https://telegroms[.]icu/assets/download/ready.apk – Context: APK downloaded during phishing campaign
  • [IP] 154.213.65[.]28 – Context: C2 server IP address
  • [Port] 7771 – Context: C2 communication port
  • [Domain] telegroms[.]icu – Context: Phishing domain hosting the malicious APK

Read more: https://labs.k7computing.com/index.php/spymax-an-android-rat-targets-telegram-users/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint