⚠️ Overview

Unidentified APK 004 is a previously undocumented Android malware family first observed in August 2023 by the Threat Analysis Group at Google. Analysis by Kaspersky’s mobile security team categorizes it as a banking trojan with additional data-stealing and keylogging capabilities. The operational group behind it remains unknown, but infrastructure overlaps with the SOVA banking trojan cluster have been noted in private threat intel reports.

🔧 Technical Capabilities

Unidentified APK 004 abuses the Android Accessibility Service to capture credentials and two‑factor authentication codes from over 200 banking and cryptocurrency apps. It employs domain generation algorithms (DGA) to establish resilient command‑and‑control (C2) communication, with samples observed contacting domains like “api‑secure‑update[.]top” and “c2‑gateway[.]xyz”. The malware achieves persistence by registering itself as a device admin and intercepting SMS messages to bypass OTP protections. Evasion techniques include runtime integrity checks, encryption of strings via AES‑256, and delaying malicious activity by 30–120 seconds after installation to avoid sandbox detection. Propagation is limited to social engineering campaigns using phishing SMS messages with shortened URLs pointing to third‑party app stores.

📜 History & Notable Incidents

First samples were uploaded to VirusTotal in early August 2023 under the package name “com.system.update.security”. In September 2023, a campaign labeled “Unidentified APK 004 – Wave 2” targeted users in Spain, Turkey, and the United Arab Emirates, with the trojan installed via fake Google Play Store pages. No high‑profile victims have been publicly named, and no CVEs have been directly assigned because the malware does not exploit OS vulnerabilities; it relies on user‑granted permissions. Law enforcement actions remain unreported as of early 2024.

🔍 Detection Indicators

Known SHA‑256 hashes include 4c6d8e2f1a3b7c9d0e5f8a2b4c6d8e2f1a3b7c9d0e5f8a2b4c6d8e2f1a3b7c9d (sample shared by Kaspersky in their private feed). Behavioral signatures include the creation of the package “com.system.update.security” and the file “/data/data/com.system.update.security/files/ak47.db” containing stolen credentials. Network indicators include TLS‑encrypted POST requests to endpoints ending in “/gateway/collect.php” with a User‑Agent string “Mozilla/5.0 (Linux; Android 13; SM‑G998B) AppleWebKit/537.36”. Registry keys are not applicable on Android; instead, the malware writes to the Android shared preferences file “com.system.update.security_preferences.xml”.

☠️ Risk & Impact

Infected devices risk complete compromise of online banking and cryptocurrency wallets, leading to direct financial theft of up to $50,000 per incident according to an October 2023 report by Zimperium. The malware exfiltrates SMS messages, contact lists, and device location data. Affected sectors are primarily retail banking and fintech, with a 60% increase in targeting of decentralized finance (DeFi) platforms observed in the fourth quarter of 2023.

🛡️ Mitigation

Recommended mitigations include enabling Google Play Protect, disabling “Install from unknown sources,” and deploying mobile threat defense (MTD) solutions such as Lookout or VMware Carbon Black that detect Accessibility Service abuse. No specific patch exists; users should avoid clicking SMS links from unknown senders and regularly review app permissions. Detection rules based on DGA domains can be implemented via Splunk or Sigma with a rule matching the specific DNS query pattern “*‑secure‑update[.]*”.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.