Threat Research

Rusty Droid: Under the Hood of a Dangerous Android RAT – K7 Labs

K7computing

Rusty Droid is an Android RAT that masquerades as Chrome (package com.catajuhufepusuwo.xenonome), requests Accessibility service, then decrypts and loads a DEX payload to steal credentials, SMS, and other sensitive data while contacting a hardcoded C2. The malware drops settings.xml with C2 and bot ID, receives encrypted targeted-app lists from 176.111.174[.]191, and targets numerous banking and crypto apps. #RustyDroid #com.catajuhufepusuwo.xenonome

Keypoints

  • Malware masquerades as “Chrome” (package com.catajuhufepusuwo.xenonome) to appear legitimate.
  • Persistent prompts request Android Accessibility Service; once granted the app hides its icon and gains elevated interaction capabilities.
  • Initial reconnaissance collects contacts, accounts, installed apps, and device details before C2 communication.
  • The APK decrypts LqL.json from assets into an executable DEX, loads it, and drops settings.xml containing the C2 IP and bot ID.
  • Abuses Accessibility as a keylogger to capture keystrokes, passwords, seed phrases, SMS content, and can send/read SMS or place premium-rate calls.
  • Connects to C2 at 176.111.174[.]191:3434, receives encrypted configuration, decrypts a list of targeted (mainly banking and crypto) applications, and monitors user interactions with those apps.
  • Multiple package names and file hashes are provided as IOCs for detection and blocking.

MITRE Techniques

  • [T1036] Masquerading – App masquerades as Chrome to appear legitimate. Quote: ‘Rusty Droid masquerades as “Chrome” as shown in Fig.1.’
  • [T1056.001] Keylogging – The malware uses Android Accessibility Service to capture keystrokes and sensitive data. Quote: ‘Abusing the Android Accessibility Service, this Trojan acts as a keylogger to steal all the victim’s information on the device; capturing passwords, login credentials, credit card details, and personal messages.’
  • [T1140] Deobfuscate/Decode Files or Information – The malicious APK decrypts the payload file from assets to an executable DEX format. Quote: ‘the malicious APK decrypts the malicious payload file called LqL.json from the App’s asset folder as shown in Fig.6, to an executable DEX format and loads the decrypted file.’
  • [T1071] Command and Control – It connects to a C2 server and receives encrypted data, including a list of targeted apps. Quote: ‘The malware connects to the C2 server and receives encrypted data from the server as shown in Fig.9. The encrypted data is decrypted to receive the list of targeted applications.’
  • [T1041] Exfiltration Over C2 Channel – Data is forwarded to cybercriminals via the C2 channel for financial gain or fraud. Quote: ‘This data is then forwarded to cybercriminals, who can exploit it for financial gain or other malicious purposes, leaving victims vulnerable to identity theft and fraud.’

Indicators of Compromise

  • [Package Name] Malicious app package – com.catajuhufepusuwo.xenonome
  • [File Hash] Sample APK hashes – 3bc49abd12c9f0bc3d4f141e2f2376f3, fc876e95f893bf66a5c22f20eceb62ce, and 7 more hashes
  • [C2 IP / URL] settings.xml C2 reference – hxxp://176.111.174[.]191:3434 and 176.111.174[.]191
  • [File Names] Payload and config files – LqL.json (encrypted payload in assets), settings.xml (contains C2 and bot id)

Read more: https://labs.k7computing.com/index.php/rusty-droid-under-the-hood-of-a-dangerous-android-rat/