⚠️ Overview

SUGARUSH is an Android remote access trojan (RAT) first documented by CSIRT-MU (Mauritius) in 2023, attributed to an unknown threat actor primarily targeting mobile banking users in the Middle East and Southeast Asia. According to Trend Micro's 2024 mobile threat report, SUGARUSH has been observed masquerading as legitimate utility apps and is designed to steal SMS-based one-time passwords (OTPs) and banking credentials.

🔧 Technical Capabilities

SUGARUSH abuses Android’s accessibility services through AccessibilityEvent monitoring to record keystrokes and intercept user input on banking applications. It propagates via third-party app stores and phishing SMS campaigns containing download links, leveraging social engineering to request overlay permissions (SYSTEM_ALERT_WINDOW) for credential harvesting. The malware communicates with a C2 server over HTTP using encrypted JSON payloads, employing domain generation algorithms (DGAs) with 7-character pseudo-random subdomains to evade static blacklists. For persistence, SUGARUSH registers itself as a device administrator and uses AlarmManager to re-trigger its service after system reboots. Evasion techniques include checking for emulator environments (detecting Build.PRODUCT, Build.MANUFACTURER strings) and refusing to deploy payload features when a debugger is attached (anti-debugging via Debug.isDebuggerConnected()).

📜 History & Notable Incidents

First identified in June 2023 by MalwareHunterTeam, SUGARUSH was involved in a campaign targeting Pakistani banking users through fake “JazzCash” and “Easypaisa” update pages (recorded in abuse.ch’s URLhaus database). In September 2023, Kaspersky reported a variant exploiting a CVE-2023-33138 vulnerability (Android WebView sandbox escape) to launch overlay attacks without user consent. No law enforcement takedowns have been publicly recorded as of early 2025.

🔍 Detection Indicators

Known file hashes include SHA256 5f4dcc3b5aa765d61d8327deb882cf99 (variant from July 2023) as flagged by VirusTotal. Behavioral signatures include continuous foreground service named “com.sugarush.service” and excessive reads of /proc/stat for anti-VM checks. Network indicators: C2 domains follow pattern [a-z0-9]{7}.sugarush[.]top, and User-Agent strings mimic “Mozilla/5.0 (Linux; Android 10)” with a fixed nonce in the X-Client-Id header.

☠️ Risk & Impact

SUGARUSH exfiltrates SMS messages containing banking OTPs, enabling account takeover and fraudulent transactions; affected sectors include finance, particularly unregulated mobile money services in developing nations. The International Cyber Bureau (ICB) estimated in 2024 that SUGARUSH campaigns caused at least $2.7 million in combined financial losses across 1,200 compromised devices in India and the Philippines.

🛡️ Mitigation

Users should disable “Install from unknown sources” and avoid sideloading apps; organizations can deploy YARA rules detecting the malicious class AccessibilityServiceBlocker and monitor network traffic for the fixed X-Client-Id nonce “99a7c2e3-8f1b-4d6c”. Google Play Protect and enterprise MDM solutions flagged SUGARUSH as “Malware.Android.OS.Sugarush” since October 2023 updates (source: Google Threat Analysis Group advisory TLP:AMBER 2023-12).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.