Kaspersky crimeware report: Android malware

Kaspersky’s crimeware report summarizes technical analysis of three Android threats—Tambir, Dwphon and Gigabud—detailing their distribution, capabilities and C2 communication methods. The report highlights supply-chain/preinstalled infections, abuse of Android accessibility for credential theft and screen-streaming exfiltration. #Tambir #Gigabud #Dwphon

Keypoints

Kaspersky observed massive mobile activity in 2023 (33.8 million blocked mobile attacks) and more than 1.3 million unique malicious Android installation packages targeting the platform.
Tambir is a Turkey-focused backdoor disguised as an IPTV app that requests Accessibility permissions, fetches encrypted C2 addresses from public sources (Telegram/ICQ/X), supports 30+ commands (keylogger control, SMS exfiltration, dialing, app execution) and can change its icon to evade detection.
Dwphon appears as a system update component (preinstalled/firmware) and likely stems from a supply-chain compromise; it includes Main, DsSdk and ExtEnabler modules to collect IMSI/system data, manage apps, download files and monitor or start apps.
Gigabud is a Kotlin-based RAT (obfuscated with DexGuard and Virbox) targeting banking users; it mimics legitimate apps, captures login credentials, requests Accessibility to simulate touches (bypass 2FA), and streams screen recordings to C2 over WebSocket/RTMP.
Distribution vectors include unofficial app marketplaces, preinstalled firmware on devices, phishing and possibly supply-chain insertion of infected system apps.
Recommended defenses: avoid unofficial stores, scrutinize app permissions (especially Accessibility), and use up-to-date antimalware to detect obfuscated/embedded threats.

MITRE Techniques

[T1189] Drive-by Compromise – Malicious Android apps are distributed via marketplaces and phishing, enabling initial access (‘Malicious Android apps, such as Tambir and Gigabud, are distributed through various channels, including unofficial app marketplaces and phishing campaigns.’)
[T1204] User Execution – Victims are tricked into running fake apps that request permissions to enable malicious functionality (‘Victims are tricked into executing malicious apps, such as the fake IPTV app (Tambir) or apps mimicking local airline and loan services (Gigabud).’)
[T1402] Application Persistence – Malware persists as system update/application components to survive reboots (‘Dwphon malware persists on the device as a component of the system update application, ensuring its continuous operation even after device reboots.’)
[T1134] Access Token Manipulation – Accessibility permissions are requested to perform elevated actions and bypass protections (‘Gigabud requests the accessibility feature to be enabled, allowing it to perform actions with elevated privileges, such as stealing credentials and bypassing 2FA.’)
[T1027] Obfuscated Files or Information – Code is obfuscated to hinder detection and analysis (‘Malware like Gigabud uses obfuscation techniques, such as Dexguard and Virbox, to evade detection by security software and analysis.’)
[T1056] Input Capture – Credentials and keystrokes are captured via keylogging and input interception (‘Tambir and Gigabud steal credentials by capturing user inputs, such as login details for various services.’)
[T1113] Screen Capture – Screen recording/streaming modules capture and stream the device screen to C2 for monitoring (‘Gigabud includes a screen recording module that streams the device’s screen to the C2 server, allowing attackers to monitor the victim’s activities and collect sensitive information.’)
[T1071] Application Layer Protocol – C2 communications use HTTP/HTTPS, WebSocket and similar protocols to receive commands and exfiltrate data (‘Malware like Tambir and Gigabud communicate with their C2 servers using protocols like HTTP/HTTPS and WebSocket to receive commands and exfiltrate data.’)
[T1041] Exfiltration Over C2 Channel – Stolen data (credentials, recordings) are exfiltrated back to attacker-controlled C2 servers (‘Stolen data, including credentials and screen recordings, are exfiltrated back to the attacker’s C2 server for further exploitation.’)

Indicators of Compromise

[File hash] Gigabud sample hashes – 043020302ea8d134afbd5bd37c05d2a8, 0960de9d425b5157720f59c2901d4e3b, and 1 more hash
[File hash] Dwphon sample hashes – 042f041108a79ac07d7b3165531faa9a, 1796e678498bf9a067c43769f4096488, and 1 more hash
[File hash] Tambir sample hashes – 04807757a54ce0fbc8326ea8b11f8169, 06148a2e5828e6844c2a1a74030d22b6, and 1 more hash

Tambir, Dwphon and Gigabud all rely on social-engineered installation and permission escalation: victims install apps (often from unofficial sources or preinstalled firmware) and grant Accessibility or other permissions that enable keylogging, command execution and device control. Tambir retrieves encrypted C2 addresses from public messaging platforms (Telegram/ICQ/X), supports 30+ remote commands (start/stop keylogger, send SMS, dial, run apps) and performs icon changes to blend in. Dwphon is modular and appears embedded in system update components, collecting IMSI/system language and offering modules for app management and monitoring (Main, DsSdk, ExtEnabler), raising the likelihood of supply-chain compromise.

Gigabud is a Kotlin RAT obfuscated with DexGuard/Virbox that mimics legitimate apps to capture credentials and device info, prompts Accessibility to simulate touch events (bypass 2FA), and contains a screen-recording module that streams the display to C2 via WebSocket or RTMP. Communication and exfiltration use application-layer protocols (HTTP/HTTPS, WebSocket), and the threats use obfuscation and preinstalled persistence to evade detection; defenders should monitor Accessibility grants, scrutinize app sources and analyze suspicious system update components.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print