Keypoints
- Cyble identified Glitch SPY as an emerging Android RAT/builder platform seen on an exposed C&C admin panel.
- The malware was distributed through a fake Polish rental website, tutaj-dompl[.]com, targeting users in Poland or Polish expats.
- The downloaded app was the Brokewell Android Loader, which acted as a dropper to install the Glitch SPY payload.
- Glitch SPY heavily abuses Android Accessibility Service to grant permissions, interact with the UI, extract screen content, and automate device control.
- The malware supports extensive surveillance and theft, including screen streaming, screenshots, keylogging, SMS/contact/call log collection, camera and microphone capture, file access, and location tracking.
- It includes a crypto-clipper that swaps copied wallet addresses across ETH/EVM, TRON, Bitcoin legacy, and Bech32 formats with attacker-controlled addresses.
- The Builder module lets operators customize payloads with app name, package ID, icon, decoy URL, and optional Telegram alerts, showing a reusable campaign framework.
MITRE Techniques
- [T1660] Phishing â The malware was distributed through a deceptive rental-themed website designed to lure victims into downloading the APK. [âdistributed via phishing sitesâ]
- [T1624.001] Event Triggered Execution: Broadcast Receivers â The malware implemented a broadcast receiver to support screen capturing and related functions. [âimplemented a broadcast receiver for screen capturingâ]
- [T1629.001] Impair Defenses: Prevent Application Removal â The malware includes logic to stop or interrupt uninstall attempts. [âPrevent uninstalling applicationâ]
- [T1628.001] Hide Artifacts: Suppress Application Icon â It hides its launcher icon to reduce visibility on the infected device. [âGlitch SPY hides its iconâ]
- [T1655.001] Masquerading: Match Legitimate Name or Location â It disguises itself as a legitimate Polish rental application to appear benign. [âmasquerades as a Polish rental applicationâ]
- [T1516] Input Injection â It performs clicks, swipes, gestures, and text entry to control the device and approve actions. [âClicks, swipes, gestures, and enter text into edit fieldsâ]
- [T1453] Abuse Accessibility Features â It abuses Android Accessibility Service to observe UI elements, extract text, and automate permissions. [âabuses Accessibility serviceâ]
- [T1417.001] Input Capture: Keylogging â It includes a keylogging module to capture user keystrokes. [âGlitch SPY includes a Keylogging moduleâ]
- [T1418] Software Discovery â It enumerates installed applications on the victim device. [âcollects installed applicationsâ]
- [T1420] File and Directory Discovery â It lists files and folders from external storage and specified paths. [âcan enumerate files from external storageâ]
- [T1430] Location Tracking â It collects and reports the device location. [âcan collect device locationâ]
- [T1426] System Information Discovery â It gathers device metadata and system information. [âcan collect device informationâ]
- [T1532] Archive Collected Data â It compresses folders into ZIP archives before exfiltration. [âcompresses the external storage directories as a zip file before sendingâ]
- [T1513] Screen Capture â It captures screenshots and live screen frames from the infected device. [âcaptures screen contentâ]
- [T1429] Audio Capture â It records audio from the infected device through microphone access. [âcan capture Audioâ]
- [T1414] Clipboard Data â It monitors clipboard activity to detect copied wallet addresses. [âMalware can monitor Clipboard contentâ]
- [T1533] Data from Local System â It collects files, including encrypted files, from local storage. [âMalware collects encrypted files from external storageâ]
- [T1636.003] Protected User Data: Contact List â It extracts the victimâs contact information. [âMalware collects contact detailsâ]
- [T1636.004] Protected User Data: SMS Messages â It steals SMS messages from the device. [âGlitch SPY collects SMS dataâ]
- [T1636.005] Protected User Data: Accounts â It collects account information configured on the Android device. [âMalware collects Account informationâ]
- [T1636.002] Protected User Data: Call Log â It gathers call history from the device. [âGlitch SPY collects Call logsâ]
- [T1437] Application Layer Protocol â It communicates with the C&C over a WebSocket-based channel. [âGlitch SPY communicates with C2 over TCPâ]
- [T1646] Exfiltration Over C2 Channel â It sends stolen data back to the command-and-control server. [âGlitch SPY exfiltrates data to the C&C serverâ]
- [T1471] Data Encrypted for Impact â It encrypts files on the device and creates .enc files. [âMalware encrypts all the files present on the device with the .enc extensionâ]
- [T1662] Data Destruction â It removes plaintext files after encryption, worsening recovery. [âGlitch SPY deletes all plain-text files after encryptionâ]
Indicators of Compromise
- [URL] Fake rental-app distribution link â hxxps://tutaj-dompl[.]com/Tutajdom.apk
- [Domain] Command-and-control infrastructure â sportypointsrewards[.]com, gich[.]etherraffleexchange[.]us
- [File Hash (SHA-256)] Glitch SPY and loader samples â 80af5e921cf8a3052fe4483bb2eb15953590e72ed003ac61c0b9135575c32075, d439475bf09af7b474cdba2c19e136a1dd38e62b088537445ac3c8e4c2d3a8b1
- [APK / File Name] Malicious download and loader package â Tutajdom.apk, Brokewell Android Loader
Read more: https://cyble.com/blog/glitch-spy-rat-distributed-via-fake-polish-app/