This report presents a detailed analysis of a sophisticated Android malware sample designed to target users within the Russian ecosystem. The malicious application functions as a banking Trojan with remote access capabilities, enabling attackers to monitor victims, intercept sensitive data, and execute commands remotely.

The malware demonstrates a high level of technical maturity. It integrates native code components, runtime decryption mechanisms, and Firebase-based command channels to maintain stealth and persistence. Through extensive permission abuse and advanced monitoring techniques, the malware collects a wide range of sensitive information from infected devices.

The threat appears to be financially motivated. Its architecture specifically targets Russian banking applications, enabling attackers to intercept authentication codes, observe transactions, and potentially perform fraudulent operations.

Given its capabilities—including full SMS control, real-time screen monitoring, credential harvesting, and remote device manipulation—this malware represents a significant risk to both individual users and financial institutions operating in the affected region.

Malware Capability Overview

1. Permission Abuse and Privilege Acquisition

The application requests an unusually large number of sensitive Android permissions. These permissions provide the malware with extensive surveillance and control capabilities.

Requested permissions include access to:

SMS messages
Call logs
Contacts
Device phone state
Location data
Overlay display capabilities
Installed package visibility
Boot persistence
Exact alarm scheduling
Battery optimization bypass

One particularly dangerous capability is the request to become the default SMS application. Once granted, the malware gains unrestricted access to SMS functionality, allowing it to read, send, and delete messages. This enables interception of one-time passwords (OTPs) and other authentication messages.

2. Targeted Banking Application Monitoring

The malware actively scans the device for installed applications and categorizes them by type.

It specifically identifies:

Banking applications
Cryptocurrency wallets
Government services
Online marketplaces

The malware maintains a list of targeted banking applications associated with Russian financial institutions. These application identifiers are stored in encrypted form and are decrypted during runtime using custom XOR routines.

This functionality allows attackers to monitor activity related to specific banks and potentially intercept financial credentials or transactions.

3. Data Collection and Exfiltration

Once installed, the malware begins harvesting a variety of sensitive data from the compromised device.

Collected information includes:

SMS messages
Contacts
Call history
Clipboard contents
Installed application lists
Notification data
One-time passwords
Lock screen PINs
Keystroke logs

This information is transmitted to the attacker’s command-and-control infrastructure for further analysis or exploitation.

4. Native Code Integration and Obfuscation

To avoid detection and complicate reverse engineering, the malware shifts critical functionality into a native shared library named:

sysruntime.so

The use of native code provides several advantages for the attacker:

Difficulties for static analysis tools
Concealment of sensitive configuration data
Increased resistance to signature-based detection

Sensitive values such as command servers and configuration parameters are stored in encrypted form and decrypted only during execution.

5. Command-and-Control Communication

The malware communicates with a remote command server located at:

193.233.112[.]229

Communication occurs using both HTTP POST requests and WebSocket connections.

The command infrastructure supports:

Execution of attacker commands
Transmission of stolen data
Configuration updates
Remote control operations

Additionally, the malware integrates Firebase push messaging, which enables attackers to trigger commands or wake the malware even when it is running in the background.

6. Remote Device Control

The malware implements a remote monitoring capability similar to VNC remote desktop functionality.

Using a combination of:

Accessibility Services
MediaProjection APIs
WebSocket streaming

attackers can observe the device screen in real time and monitor user interactions.

This functionality enables:

Screen recording
Transaction monitoring
Credential capture
Active manipulation of the device interface

7. Persistence and Stealth Mechanisms

The malware implements several redundant persistence mechanisms to ensure it remains active on the device.

These include:

Automatic launch during device boot
Long-running foreground services
Abuse of Accessibility permissions
Scheduled background alarms
Push message triggers
User activity monitoring

Additional stealth techniques include:

Removal of the application icon from the launcher
Bypass of battery optimization
Hidden background services

These techniques ensure that the malware continues running even if the user attempts to close it.

8. Communication Obfuscation

The malware protects its infrastructure through several obfuscation strategies.

These include:

XOR-based encryption
Rolling decryption keys
Runtime string decryption
Non-linear memory access patterns

These techniques hide command servers and configuration values until the malware is actively running, making detection more difficult.

9. Multi-Architecture Support

The malware is compiled for multiple processor architectures:

arm64-v8a
armeabi-v7a
x86_64

This ensures compatibility with most Android devices and allows the malware to infect a broad range of victims.

Additionally, the malware supports worker keys, which allow multiple operators to use the same infrastructure while maintaining separate victim groups.

Static Analysis Findings

Excessive Permission Requests

The application requests a large set of intrusive permissions that far exceed what would normally be required by legitimate applications.

These permissions collectively allow the malware to monitor user activity, intercept communications, manipulate device behavior, and maintain long-term persistence.

Such permission patterns are commonly associated with Android spyware or banking Trojans.

SDK Targeting and Package Naming

The malware targets the latest Android API levels while also maintaining compatibility with older versions of the operating system.

The application package name appears randomly generated:

ru.y34tuy.t8595

This pattern is commonly seen in malware generated using automated RAT builder kits, which produce unique package names to avoid signature-based detection.

Launcher Icon Hiding

The malware modifies its Android manifest file to replace the standard launcher category with the INFO category.

This configuration prevents the application icon from appearing in the device launcher, effectively hiding it from the user interface.

This behavior strongly indicates deliberate concealment.

Native Library Analysis

sysruntime.so Initialization

At application startup, the malware loads the native library:

libsysruntime.so

This library is compiled for multiple architectures and stored inside the application’s /lib directory.

Critical configuration values are embedded within this library instead of the Java codebase.

Examples include:

Bot identifiers
Command server addresses
WebView links
Worker campaign identifiers

These values remain encrypted until the malware executes.

Native Function Capabilities

Analysis of the library revealed several exported functions including:

getBotId
getServerListNative
getWebviewUrlNative
getWorkerKeyNative

These functions retrieve configuration values directly from the native layer.

The library also contains Firebase credential retrieval functions, confirming its use as part of the malware’s command infrastructure.

Command Server Obfuscation

The command-and-control server address is hidden using a custom decryption routine located in the native function:

getServerListNative

The routine references two key data structures stored in the .rodata section.

XOR Key Array (22 bytes)

B2 1F CC E3 6A 7E 71 F4
0A C0 1D 78 7B 4B 1B 15
2A 2F 24 20 33 1C

Encrypted Data Block

F5 69 1C 83 CB 52 9F E1
34 A0 6D 3A 7F B2 1D E9
54 C8 6B F7 B6

The decryption algorithm uses:

Non-linear memory access
A rolling XOR key
Incremental key modification

The key begins with the value 47 and increases by 91 during each iteration.

C2 Address Recovery

A Python script was developed to reproduce the native decryption logic and reconstruct the hidden server address.

The script replicated the memory layout used by the malware and correctly reproduced the XOR algorithm.

The recovered command server address is:

http://193.233.112[.]229

This confirms that the malware intentionally hides its infrastructure to avoid static detection.

Firebase Credential Extraction

Using a similar approach, additional credentials embedded in the binary were recovered.

The malware uses an 8-byte XOR key:

3A 7F B2 1D E9 54 C8 6B

This key decrypts a 39-byte encrypted block containing Firebase configuration data.

Recovered information includes:

Firebase API Key
Project ID
App ID
Storage bucket
Sender ID

Example recovered API key:

AIzaSyAjWqYjz1VbRByhLX8Mu0sXeh6FzIko90

WebView Behavior

Unlike other configuration values, the WebView URL is stored in plaintext within the native library.

https://taxi.ru

Additional values including the bot ID and worker key were also found in plaintext.

Worker Key Function

The malware includes the following worker key:

9bc096a5f4ec7ba133d743cbaf4b8a2e

This value functions as a campaign identifier and allows multiple operators to use the same infrastructure while maintaining separate victim pools.

This structure is typical in malware-as-a-service (MaaS) operations.

System Profiling Behavior

Upon execution, the malware collects device information including:

Device model
Android version
Phone number
SIM card information
Operator details

It also scans for installed banking applications.

The collected data is transmitted to the server endpoint:

/api/v1/sync/init

Notification Monitoring

The malware intercepts system notifications and extracts:

Application package name
Notification title
Notification text

Using regex parsing, the malware identifies authentication codes and OTP messages.

Captured notifications are sent to:

/api/v1/sync/notification

SMS Exfiltration

All SMS messages are extracted and transmitted to the command server.

Data fields include:

Message ID
Sender or recipient
Message body
Timestamp
Message direction
Read status
SIM subscription ID

Data is sent to:

/api/v1/sync/backup/messages

Contact and Call Data Harvesting

The malware collects:

Contact names
Phone numbers
Call history

These are transmitted to the following endpoints:

/api/v1/sync/backup/contacts
/api/v1/sync/backup/calls

Clipboard Monitoring

Clipboard contents are captured and sent to:

/api/v1/sync/backup/clipboard

Application Inventory Collection

The malware gathers detailed information about installed applications including:

App name
Package identifier
Version number
Category
Banking application status
System application status

This data is transmitted to:

/api/v1/sync/backup/apps

Banking Application Detection

The malware contains an encrypted list of targeted application package names.

These are decrypted using the XOR key:

{58, 127, -78, 29, -23, 84, -56, 107}

The decrypted list includes:

Russian banking apps
Government services
Cryptocurrency wallets
Marketplaces

Remote Access Functionality

The malware provides attackers with remote device monitoring through WebSocket connections.

This enables:

Real-time screen viewing
Interaction monitoring
Screen capture
Fraud monitoring

Lock Screen PIN Interception

The malware detects lock screen activity and records PIN entries.

Captured credentials are stored locally with timestamps and later transmitted to the command server.

Keylogging Capability

User keystrokes are recorded and structured into JSON data containing:

Application source
Captured text
Event type
Timestamp

This information is then sent to the attacker infrastructure.

Persistence Architecture

The malware uses several mechanisms to maintain continuous operation:

Boot auto-start
Foreground services
Accessibility abuse
Scheduled alarms
Push messaging triggers
User activity monitoring
Network change detection
Wake locks
Battery optimization bypass

These mechanisms ensure the malware remains active even after reboots or system attempts to stop it.

Dynamic Analysis Observations

Default SMS Request

Upon launch, the application prompts the user to set it as the default SMS application.

Once granted, Android automatically approves several sensitive permissions.

WebView Execution

The malware attempts to open the URL:

https://taxi.ru

However, the domain was unreachable during analysis.

Command Server Connectivity

The malware repeatedly attempted to connect to:

193.233.112.229

The server did not respond during testing.

Threat Landscape Assessment

The malware shows strong indicators of regional targeting, focusing primarily on Russian users and financial applications.

Distribution appears to rely on:

Social engineering
Repackaged applications
Localized distribution channels

The threat actor’s objective appears to be financial gain through credential theft and fraudulent transactions.

The malware’s design demonstrates strong operational security practices including:

Native code obfuscation
Runtime decryption
Firebase command infrastructure

MITRE ATT&CK Mapping

Tactic	Technique
Initial Access	Phishing
Persistence	Foreground Persistence, Scheduled Tasks
Privilege Escalation	Device Administrator Permissions
Defense Evasion	Hide Artifacts, Prevent App Removal
Credential Access	Clipboard Data, Keylogging
Discovery	System Information Discovery
Collection	SMS, Contacts, Call Logs, Screen Capture
Command and Control	Web Protocols, Encrypted Channels
Exfiltration	Data Exfiltration over C2

Indicators of Compromise

Indicator	Type	Context
67d5d8283346f850eb560f10424ea5a9ccdca5e6769fbbbf659a3e308987cafd	APK Hash	RuTaxi APK
193.233.112[.]229	IP	Command Server
9bc096a5f4ec7ba133d743cbaf4b8a2e	String	Worker Campaign ID
3A 7F B2 1D E9 54 C8 6B	Byte Array	Firebase XOR Key
B2 1F CC E3 6A 7E 71 F4 0A C0 1D 78 7B 4B 1B 15 2A 2F 24 20 33 1C	Byte Array	C2 XOR Key

Conclusion

The analyzed malware represents a highly advanced Android banking Trojan with a clear focus on Russian financial targets.

Its design combines several sophisticated techniques, including native code execution, encrypted configuration storage, Firebase-based command delivery, and extensive surveillance capabilities.

Through its ability to intercept SMS messages, capture credentials, monitor notifications, record keystrokes, and provide real-time device access, the malware enables attackers to carry out financial fraud operations and maintain persistent control over compromised devices.

The presence of campaign-specific worker keys and region-specific targeting further suggests a coordinated threat actor operating within a structured malware distribution ecosystem.

Defending against such threats requires a combination of behavioral detection, threat intelligence sharing, and strong mobile security controls.

Security Recommendations

Threat Monitoring

Monitor network traffic for connections to 193.233.112[.]229
Track suspicious POST requests to /api/v1/sync/*
Share threat indicators with intelligence communities

Mobile Security Controls

Restrict installation of apps requesting excessive permissions
Detect hidden applications removing launcher icons
Monitor abnormal Firebase usage

User Awareness

Educate users about SMS and Accessibility permission abuse
Encourage installation only from trusted app stores

Infrastructure Protection

Deploy authentication methods resistant to SMS interception
Implement strict outbound network filtering
Conduct regular permission audits on mobile devices

Incident Response

Isolate infected devices immediately
Reset compromised credentials
Update detection signatures regularly

Collaboration

Coordinate with financial institutions and national cyber response teams
Report command servers and malware samples to threat intelligence platforms

Android Banking Trojan Uses Native Obfuscation and Firebase C2 to Target Russian Financial Apps