TaxiSpy Android RAT: The Banking Malware That Secretly Watches Your Screen and Steals Your PIN in Real Time

Aegiron 14 mins0

TaxiSpy Android RAT

Overview

TaxiSpy is a targeted Android banking trojan that operates as a Remote Access Trojan (RAT). The malware was designed primarily to steal financial credentials from users of Russian banking services and payment applications. Unlike generic banking trojans that rely mainly on overlay attacks, TaxiSpy focuses on real-time device monitoring and remote control. Attackers are able to watch what the victim is doing on their phone, capture sensitive information such as PIN codes, and intercept authentication messages.

The malware gained attention because of the way it combines legitimate cloud messaging services with persistent network communication. Instead of relying on traditional command-and-control polling, the malware uses push notifications and WebSocket communication to maintain constant interaction with the attacker.

The result is a surveillance-style malware operation where the attacker can monitor banking activity as it happens and collect authentication information before the victim even realizes anything is wrong.

From a threat intelligence perspective, TaxiSpy fits into the broader category of mobile financial malware, but its real-time monitoring capabilities make it closer to a full surveillance RAT rather than a simple credential stealer.

What Happened

The TaxiSpy campaign targeted Android users who perform banking transactions on their phones. Victims were tricked into installing malicious applications disguised as legitimate services. These applications appeared harmless but contained hidden malware components.

Once installed, the malware quietly requested powerful permissions, especially Accessibility Service permissions. When users granted these permissions, the malware gained deep visibility into the device’s interface and user activity.

After gaining control, TaxiSpy connected to its remote control infrastructure and began collecting data. The attacker could monitor the device screen, log keystrokes, intercept SMS verification codes, and observe the victim interacting with banking applications.

The attack essentially turns the infected device into a remote surveillance endpoint, allowing criminals to steal banking information in real time.

Who Was Impacted

The campaign mainly focused on individuals using Russian banking applications and financial services. Customers of digital banking platforms were the primary targets because they regularly perform financial transactions on their phones.

The malware monitored activity inside banking apps and payment services, allowing attackers to collect:

  • Login credentials
  • Banking PIN codes
  • Account numbers
  • SMS authentication codes
  • Banking session information
  • Transaction confirmations
  • Banking application UI data

Primary targets included:

  • mobile banking users
  • cryptocurrency wallet users
  • mobile payment platforms
  • financial transaction apps

Although the campaign initially focused on Russian banking customers, the attack technique itself could easily be reused in other regions.

How the Attack Happened

The attack chain typically followed several steps.

1. Social Engineering and Distribution

TaxiSpy was distributed through malicious Android application packages (APK files). These APKs were disguised as legitimate apps such as:

  • taxi or transportation services
  • system utilities
  • device security verification apps
  • banking protection tools
  • government service applications

Victims were often sent download links through:

  • phishing SMS messages
  • messaging apps
  • fake banking alerts
  • malicious advertising links
  • compromised websites hosting APK files

Users were instructed to enable installation from unknown sources, allowing the malicious APK to bypass the normal Android application vetting process.

2. Installation and Permission Abuse

Once installed, the application requested several permissions.

The most critical permission requested was:

Accessibility Service Access

This permission gives the malware the ability to:

  • monitor UI events
  • read text from screen elements
  • observe keyboard input
  • perform automated clicks
  • interact with other applications

Other permissions requested include:

  • READ_SMS
  • RECEIVE_SMS
  • READ_CONTACTS
  • INTERNET
  • READ_PHONE_STATE
  • SYSTEM_ALERT_WINDOW
  • FOREGROUND_SERVICE

Granting these permissions allows the malware to behave almost like a remote operator of the device.

3. Command and Control Communication

TaxiSpy uses a hybrid command infrastructure.

Instead of constant polling, the malware uses:

Push Notification Infrastructure

Used to deliver commands to infected devices.

Persistent WebSocket Channels

Used for real-time communication and screen monitoring.

This architecture provides several advantages:

  • near real-time attacker interaction
  • stealthy communication disguised as legitimate app traffic
  • lower network detection probability

The infected device maintains a persistent connection to attacker infrastructure.

Commands delivered through the command server include:

  • start screen capture
  • capture text input
  • retrieve SMS messages
  • send device information
  • upload stolen credentials
  • update malware modules

4. Real-Time Screen Surveillance

One of the most dangerous capabilities of TaxiSpy is its ability to monitor the device screen.

The malware captures screen frames and streams them through an encrypted WebSocket channel.

This allows attackers to observe:

  • banking login screens
  • PIN entry fields
  • payment confirmations
  • transaction verification steps

This capability allows criminals to bypass many traditional banking protections.

5. SMS Interception

TaxiSpy monitors incoming SMS messages.

It extracts authentication codes from messages sent by banks or financial services.

The malware forwards these codes to the attacker before the victim can use them.

This allows attackers to bypass two-factor authentication mechanisms.

6. Data Exfiltration

TaxiSpy collects multiple types of information from infected devices.

Typical stolen data includes:

  • SMS messages
  • device identifiers
  • installed application list
  • contact information
  • banking credentials
  • authentication tokens
  • notification content
  • keystroke data

Data is transmitted through encrypted communication channels.

Malware Components and Payload Behavior

TaxiSpy operates as a modular Android RAT.

Loader Component

Responsible for installing the main malware modules and registering background services that ensure the malware runs persistently.

Accessibility Monitor

Captures interface events, extracts text from UI elements, and logs user interactions.

Screen Capture Module

Collects screen content and streams it through a WebSocket channel to the attacker.

SMS Interceptor

Monitors incoming messages and extracts authentication codes.

Command Handler

Receives instructions from the command server and executes tasks such as collecting data or activating monitoring features.

Persistence Mechanisms

TaxiSpy attempts to remain active on the device through several persistence techniques.

  • background services
  • automatic restart after device reboot
  • hidden application launcher icon
  • disguised service names
  • persistent notification listeners

Some variants attempt to prevent removal by abusing accessibility permissions.

Indicators of Compromise (IOCs)

Suspicious Application Behavior

  • Unknown application requesting Accessibility Service permissions
  • Application reading SMS messages without legitimate reason
  • Hidden apps running background services
  • Apps maintaining persistent WebSocket connections

Malicious Package Names

Observed suspicious naming patterns include:

com.taxi.helper
com.secure.update
com.android.system.security
com.transport.service
com.mobile.verify

Network Indicators

Common communication patterns observed:

ws://185.***.***.***/socket
wss://91.***.***.***/device
wss://194.***.***.***/connect

Unusual outbound connections using:

  • WebSocket protocol
  • encrypted HTTPS communication to unknown infrastructure
  • persistent connections lasting several hours

Host Indicators

Possible suspicious processes or services:

AccessibilityServiceManager
SystemMonitorService
ScreenCaptureHandler
MessageSyncService

Device artifacts may include unusual service registrations or persistent background tasks.

KQL Detection Queries (Microsoft Defender / Sentinel)

Detect Suspicious Accessibility Permission Usage

DeviceEvents
| where ActionType contains "Accessibility"
| summarize count() by DeviceName, InitiatingProcessFileName
| where count_ > 5

Detect Suspicious WebSocket Network Traffic

DeviceNetworkEvents
| where RemotePort in (8080,8443,9001)
| where Protocol == "WebSocket"
| summarize Connections=count() by DeviceName, RemoteIP
| where Connections > 20

Detect SMS Access by Unknown Apps

DeviceEvents
| where ActionType contains "SmsRead"
| summarize count() by DeviceName, InitiatingProcessFileName
| where count_ > 10

Detect Suspicious Mobile Background Services

DeviceProcessEvents
| where ProcessCommandLine contains "AccessibilityService"
| summarize count() by DeviceName, ProcessName

Threat Hunting Guidance

Security teams should perform proactive threat hunting focusing on the following indicators.

Mobile Device Monitoring

Investigate devices where:

  • unknown applications have accessibility permissions
  • apps read SMS messages frequently
  • persistent background services exist

Network Monitoring

Search for:

  • WebSocket connections to unknown servers
  • mobile devices maintaining persistent encrypted connections
  • repeated outbound communication to the same IP address

Application Analysis

Look for Android applications that:

  • hide their launcher icon
  • maintain persistent services
  • request unnecessary permissions

Sigma Detection Logic

title: Suspicious Android Accessibility Abuse
logsource:
  category: mobile
detection:
  selection:
    Permission: AccessibilityService
    NetworkProtocol: WebSocket
  condition: selection
level: high

MITRE ATT&CK Mapping

Relevant MITRE techniques associated with TaxiSpy include:

TechniqueDescription
Initial AccessUser installs malicious application
Command and ControlPersistent encrypted communication
Credential AccessCapture banking credentials
CollectionScreen monitoring and SMS interception
ExfiltrationData transmitted to attacker server

Prevention Recommendations

User Awareness

Users should avoid installing APK files received through links or messaging platforms.

Applications should only be downloaded from trusted app stores.

Permission Management

Users should review any application requesting accessibility permissions.

If an application does not require accessibility functionality, the permission should be denied.

Enterprise Mobile Security

Organizations should deploy:

  • mobile threat defense platforms
  • application behavior monitoring
  • network anomaly detection

Summary

TaxiSpy is a sophisticated Android banking trojan designed for targeted financial theft. Instead of relying solely on traditional banking trojan techniques, it focuses on live monitoring of the victim’s device.

By abusing Accessibility permissions and maintaining real-time communication with the attacker, the malware allows criminals to watch banking activity as it happens. This makes it particularly effective at capturing login credentials, PIN codes, and authentication messages.

The attack relies primarily on social engineering and malicious application installation, meaning prevention depends heavily on user awareness, mobile security monitoring, and application permission management.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.