Threat Research

TAXISPY RAT : Analysis of TaxiSpy RAT – Russian Banking – Focused Android Malware with Full Remote Control – CYFIRMA

Cyfirma
TAXISPY RAT : Analysis of TaxiSpy RAT – Russian Banking – Focused Android Malware with Full Remote Control – CYFIRMA

Analysis of a sophisticated Android banking Trojan (tracked as TaxiSpy) reveals integrated RAT functionality, native library obfuscation, rolling XOR string encryption, Firebase-backed C2, and real-time VNC-like remote control specifically targeting Russian banking apps. The malware exfiltrates SMS, contacts, call logs, notifications, clipboard and keylogging data, can become the default SMS app, and communicates with C2 at 193.233.112[.]229 while using identifiers like worker key 9bc096a5f4ec7ba133d743cbaf4b8a2e. #TaxiSpy #RuTaxi

Keypoints

  • The Android Trojan (TaxiSpy / RuTaxi APK) targets Russian banking users with region-specific app detection and runtime decryption of targeted package names.
  • The malware embeds critical logic in a native library (sysruntime.so) and uses custom rolling XOR decryption and non-linear memory access to hide C2 and Firebase credentials until runtime.
  • It requests extensive high-risk permissions (SMS, Accessibility, overlay, boot persistence) and can become the default SMS app to intercept OTPs and silently send/delete messages.
  • Remote access is implemented via WebSocket-based VNC-like functionality using Accessibility and MediaProjection APIs, enabling screen streaming, PIN capture, and remote interaction.
  • Persistent, multi-layered survivability is achieved through boot auto-start, foreground services, scheduled alarms/jobs, push messaging (Firebase), and Accessibility abuse to prevent removal.
  • Identified IOCs include APK hash, package name (ru.y34tuy.t8595), C2 IP 193.233.112[.]229, worker key 9bc096a5f4ec7ba133d743cbaf4b8a2e, and recovered Firebase API key and XOR keys; YARA rule provided for detection.

MITRE Techniques

  • [T1660 ] Phishing – Used as an initial access vector in the campaign table (‘T1660: Phishing’)
  • [T1541 ] Foreground Persistence – Maintains long-running foreground services to reduce termination (‘T1541: Foreground Persistence’)
  • [T1603 ] Scheduled Task/Job – Uses scheduled alarms and background jobs to periodically revive components (‘T1603: Scheduled Task/Job’)
  • [T1626.001 ] Device Administrator Permissions – Requests elevated device permissions and persistence mechanisms (‘T1626.001: Device Administrator Permissions ()’)
  • [T1628 ] Hide Artifacts – Conceals app icon by replacing LAUNCHER with INFO and hides strings in native ‘.rodata’ (‘T1628: Hide Artifacts’)
  • [T1628.002 ] User Evasion – Replaces launcher category to prevent icon visibility and evade user detection (‘T1628.002: User Evasion’)
  • [T1629.001 ] Prevent Application Removal – Uses Accessibility abuse and other mechanisms to prevent removal (‘T1629.001: Prevent Application Removal’)
  • [T1516 ] Input Injection – Leverages overlay, Accessibility and MediaProjection for remote control and interaction injection (‘T1516: Input Injection’)
  • [T1414 ] Clipboard Data – Captures and exfiltrates clipboard contents via API endpoints (‘T1414: Clipboard Data’)
  • [T1417.001 ] Keylogging – Implements keystroke capture and structured exfiltration of logged input (‘T1417.001: Keylogging’)
  • [T1420 ] File and Directory Discovery – Gathers installed apps and filesystem information for profiling (‘T1420: File and Directory Discovery’)
  • [T1430 ] Location Tracking – Collects device location as part of system profiling (‘T1430: Location Tracking’)
  • [T1418 ] Software Discovery – Enumerates installed applications and classifies banking, marketplace, government, and crypto apps (‘T1418: Software Discovery’)
  • [T1426 ] System Information Discovery – Collects device model, OS version, SIM metadata and other system info (‘T1426: System Information Discovery’)
  • [T1422 ] Internet Connection Discovery – Detects network changes to reconnect to command infrastructure (‘T1422: Internet Connection Discovery’)
  • [T1636.001 ] Calendar Entries – Identified under collection capabilities as a potential exfiltration type (‘T1636.001: Calendar Entries’)
  • [T1636.002 ] Call Log – Collects and exfiltrates call history to attacker server (‘T1636.002: Call Log’)
  • [T1636.003 ] Contact List – Harvests contact lists and sends them to C2 (‘T1636.003: Contact List’)
  • [T1636.004 ] SMS Messages – Intercepts, harvests and exfiltrates SMS messages, and can act as default SMS app (‘T1636.004: SMS Messages’)
  • [T1513 ] Screen Capture – Implements screen capture and VNC-like streaming via MediaProjection (‘T1513: Screen Capture’)
  • [T1512 ] Video Capture – Uses MediaProjection APIs to capture screen/video for remote surveillance (‘T1512: Video Capture’)
  • [T1437 ] Application Layer Protocol – Uses HTTP POST and WebSocket for C2 communications (‘T1437: Application Layer Protocol’)
  • [T1437.001 ] Web Protocols – Specifically employs WebSocket and HTTP for real-time control and data exfiltration (‘T1437.001: Web Protocols’)
  • [T1521 ] Encrypted Channel – Uses Firebase and other channels for command delivery and persistence (‘T1521: Encrypted Channel’)
  • [T1521.003 ] SSL Pinning – Employs techniques to secure communications (noted as part of C2 strategy) (‘T1521.003: SSL Pinning’)
  • [T1481 ] Web Services – Leverages Firebase and web services for commands and persistence (‘T1481: Web Services’)
  • [T1646 ] Exfiltration Over C2 Channel – Exfiltrates SMS, contacts, notifications and keystrokes over C2 channels (‘T1646: Exfiltration Over C2 Channel’)

Indicators of Compromise

  • [File Hash ] RuTaxi APK sample – 67d5d8283346f850eb560f10424ea5a9ccdca5e6769fbbbf659a3e308987cafd
  • [APK Package ] Sample package identity – ru.y34tuy.t8595 (RuTaxi APK)
  • [IP / URL ] C2 and exfiltration server – 193.233.112[.]229 (http://193.233.112[.]229) used for HTTP POST and WebSocket communication
  • [String / Worker Key ] Campaign identifier – 9bc096a5f4ec7ba133d743cbaf4b8a2e (worker key / campaign ID)
  • [Firebase API Key ] Embedded Firebase credential recovered from native – AIzaSyAjWqYjz1VbRByhLX8Mu0sXeh6FzIko90 (used for Firebase-backed commands)
  • [File Name ] Suspicious native library – sysruntime.so (contains getServerListNative, getBotId, other native routines)
  • [Domain / WebView URL ] Embedded WebView target – https://taxi.ru (plaintext WebView URL found in .rodata)
  • [Hexadecimal Keys ] XOR keys used for obfuscation – C2 XOR key: B2 1F CC E3 6A 7E 71 F4 0A C0 1D 78 7B 4B 1B 15 2A 2F 24 20 33 1C; Firebase XOR key: 3A 7F B2 1D E9 54 C8 6B

Read more: https://www.cyfirma.com/research/taxispy-rat-analysis-of-taxispy-rat-russian-banking-focused-android-malware-with-full-remote-control/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint