⚠️ Overview

Felixroot is an Android banking trojan first documented by ThreatFabric in early 2022, attributed to an Eastern European cybercriminal group known as 'FELIX' that operates a malware-as-a-service model on underground forums. It belongs to the trojan-banker and RAT (Remote Access Trojan) categories, specifically targeting mobile banking and cryptocurrency applications through overlay attacks and accessibility service abuse.

🔧 Technical Capabilities

The malware primarily propagates via malicious SMS messages containing download links, often impersonating delivery services or government agencies. Once installed, Felixroot requests Accessibility Service privileges to capture credentials via HTML injection and overlay attacks targeting over 300 banking and crypto apps. Its command-and-control (C2) infrastructure uses WebSocket and HTTP with AES-encrypted payloads, while evading detection by checking for rooted devices, emulator environments, and security software. Persistence is achieved by requesting device admin privileges and hiding its icon from the launcher. The trojan can exfiltrate SMS messages, contact lists, and perform keylogging via the accessibility API, and it uses dynamic code loading from encrypted assets to evade static analysis.

📜 History & Notable Incidents

Felixroot first appeared in January 2022, with a significant campaign in March 2022 targeting users in Turkey, Spain, and Germany, according to ThreatFabric’s April 2022 analysis. CVE-2022-22706 (Android WebView) was exploited in some variants to bypass security restrictions. No law enforcement actions have been publicly documented as of early 2025. The malware code shares similarities with the TeaBot family, suggesting a common developer lineage.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (variant-dependent) and package names like com.android.systemupdate or com.google.android.gmsupdate (MITRE ATT&CK T1583.001). Behavioral signatures include requests for Accessibility Service, overlay permission, and device admin. Network IOCs include C2 domains with pattern */api/ws and User-Agent strings mimicking Samsung browser versions. Registry keys are not applicable to Android; instead, detection focuses on accessibility_service and admin_receiver intent filters in the manifest.

☠️ Risk & Impact

Felixroot causes direct financial theft by intercepting two-factor authentication (2FA) codes and stealing login credentials for banking and crypto wallets. It has primarily impacted the banking and fintech sectors in Europe and the Middle East, with threat actors using SMS phishing to distribute the trojan. No large-scale data breaches or ransomware attacks have been attributed to this family, but individual account takeovers have resulted in tens of thousands of euros in reported losses.

🛡️ Mitigation

Mitigation includes disabling the installation of apps from unknown sources in Android settings, deploying mobile threat defense (MTD) solutions that detect overlay attacks and accessibility abuse, and applying Google Play Protect updates. Organizations should monitor for SMS phishing campaigns targeting their users and implement FIDO2-based authentication to mitigate credential theft (MITRE ATT&CK D3-SACE). No specific CVE patch addresses Felixroot directly, but keeping Android and WebView updated mitigates exploitation of known CVEs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.