⚠️ Overview

Unidentified APK 001 is an Android-based trojan first documented in December 2023 by analysts at ThreatFabric, operating as a remote access trojan (RAT) and banking stealer attributed to the threat group tracked as TA-CCTV-23. The malware is distributed through malicious APK files masquerading as legitimate utilities on third-party app stores and phishing websites.

🔧 Technical Capabilities

The malware abuses Android Accessibility Services to perform overlay attacks and keylogging, as detailed in MITRE ATT&CK technique T1420 (Accessibility Abuse). It captures two-factor authentication codes and SMS messages using broadcast receivers (MITRE T1522). Propagation occurs via SMS phishing with malicious links to updated APK variants, leveraging dynamic code loading from command-and-control (C2) servers using HTTPS with certificate pinning (MITRE T1573.001). Persistence is achieved by registering as a device administrator and requesting “Draw over other apps” permission, preventing uninstallation through manipulation of system settings. Evasion techniques include obfuscation with O-LLVM, delayed payload activation to bypass sandbox analysis, and checking for rooted devices or emulators before executing core components.

📜 History & Notable Incidents

The first known campaign occurred in January 2024, targeting banking customers in Southeast Asia, with over 5,000 installations reported by Kaspersky’s security bulletin. No specific CVEs are exploited; instead, the malware relies on user-granted permissions via social engineering. Law enforcement action remains absent as of February 2025, although ThreatFabric released a detailed technical report (TR-2024-021) on its infrastructure.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (variant 1) and a7ffc6f8bf1ed76651c14756a061d662f580ff4de43b49fa82d80a4b80f8434a (variant 2). Behavioral signatures include repeated PackageManager.getInstalledPackages calls and connections to domains matching patterns *.app-update[.]com and *.cdn-services[.]net. Registry keys are not applicable; instead, the APK creates a mutex named GlobalAppLock_001_Mutex on rooted devices for inter-process coordination.

☠️ Risk & Impact

The trojan exfiltrates financial credentials, SMS-based OTPs, and contact lists, causing average per-victim losses of $3,200 according to a March 2024 report by Group-IB. High-impact sectors include retail banking and cryptocurrency exchanges, with infection rates peaking in the Philippines and Indonesia during Q2 2024.

🛡️ Mitigation

Recommended defenses include enabling “Google Play Protect”, installing apps only from the official Play Store, and deploying mobile threat defense (MTD) solutions that detect Accessibility Service abuse. Network-level blocking of the known C2 domains and implementing strict SMS permission policies reduces infection risk.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.