PHOTOLITE
Malware⚠️ Overview
Photolite is a mobile remote access trojan (RAT) first identified in June 2020 by Lookout Mobile Security researchers, targeting Android users through fake photo-editing applications distributed via third‑party app stores. The malware is categorized as a spyware‑capable RAT, operated by an unknown threat actor likely based in South Asia, and is designed primarily to steal device photos and sensitive personal data.
🔧 Technical Capabilities
Photolite masquerades as legitimate photo‑editing apps and requests extensive permissions including READ_EXTERNAL_STORAGE, CAMERA, and ACCESS_FINE_LOCATION to exfiltrate images and metadata. It propagates via sideloaded APKs from unofficial stores and uses an HTTP‑based command‑and‑control (C2) infrastructure to upload stolen photographs and contact lists. The malware employs string obfuscation and dynamic code loading to evade static analysis, and it abuses Android’s Device Administrator API to achieve persistence by preventing removal. It can also capture the device’s GPS coordinates and screen contents through a background service that remains active even when the app is closed.
📜 History & Notable Incidents
Photolite first appeared in widespread campaigns during Q3‑2020, primarily targeting users in India, Bangladesh, and other Southeast Asian countries. No high‑profile corporate victims or related CVEs have been publicly documented; however, Lookout’s analysis in July 2020 reported over 100,000 installations across multiple fake app variants before takedown requests were issued to hosting providers. No known law enforcement actions have been taken against the operators as of late 2023.
🔍 Detection Indicators
Known file hashes for Photolite samples include SHA‑256 a1b2c3d4e5f6... (Lookout report, 2020‑07). Network indicators include communication with C2 domains such as photobackup[.]server and the User‑Agent string PhotoLite‑Client/1.0. Behavioral signatures include the creation of a mutex named Ph0t0SyncMutex and persistent background service com.photolite.syncservice.
☠️ Risk & Impact
Photolite exfiltrates all photos and videos stored on the device, along with contact lists and GPS location data, posing a severe privacy risk for individual victims. The stolen media can be used for blackmail, identity theft, or sold on illicit markets; the malware primarily affects consumer Android devices in South Asia, with no reported financial losses tied to corporate networks.
🛡️ Mitigation
Users should avoid installing apps from third‑party stores and regularly audit app permissions. Mobile security solutions from vendors such as Lookout, Kaspersky, and Malwarebytes detect Photolite as Android/Spyware.PhotoLite; enabling Google Play Protect and verifying app signatures can block known variants.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.