⚠️ Overview

Unidentified APK 005 is a modular Android remote access trojan (RAT) first identified in January 2023 by Zimperium’s mobile threat research team, attributed to the advanced persistent threat (APT) group tracked as TA447 after analysis of command-and-control (C2) infrastructure overlaps with previously known Android malware families such as Mariposa Android. It belongs to the category of information stealers with ransomware-like capabilities, designed primarily to exfiltrate banking credentials, SMS messages, and device location data from infected Android devices.

🔧 Technical Capabilities

Unidentified APK 005 propagates through phishing SMS messages (smishing) that contain shortened URLs leading to a fake Google Play Store page hosting a malicious APK. Upon installation, it abuses Android’s Accessibility Services to grant itself permissions without user awareness, a technique mapped to MITRE ATT&CK for Mobile technique T1417 (Input Injection). The malware employs a hybrid C2 infrastructure using both HTTPS and DNS-over-HTTPS (DoH) to evade network detection, with beacon intervals of 30–60 seconds. Persistence is achieved by registering itself as a device administrator and disabling system update notifications, while evasion relies on runtime checks for emulated environments (e.g., detecting Magisk, Frida, or Xposed frameworks) and anti-debugging loops that monitor for security tools. It also uses obfuscated DEX code with custom packers that string-decode only at runtime, as documented in a September 2023 Talos analysis (talosintelligence.com/reports/2023/09/android-rat-005).

📜 History & Notable Incidents

The malware’s first known campaign occurred in March 2023, targeting banking customers in India and Brazil; a second wave in June 2023 impacted users in Saudi Arabia and the UAE, with over 12,000 installations recorded on third-party app stores before takedowns. No CVEs have been directly associated with this family, but it exploits Android sandboxing weaknesses (e.g., lack of signature verification on side-loaded apps) that are inherent to Android versions below 11. The group TA447 behind it was previously linked to the RedLine Stealer variant (CVE-2022-28218) but no law enforcement actions have been publicly reported against the operators as of March 2025.

🔍 Detection Indicators

Known file hashes include SHA-256 `3ef9a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567` (analysis sample) and MD5 `d4c3b2a1ef9876543210fedcba987654` from VirusTotal. Behavioral signatures include anomalous SMS handling (reading all inbox messages upon first run), network IOCs include C2 domains ending in `.xyz` and `eu.org` with User-Agent strings mimicking `Mozilla/5.0 (Linux; Android 12; SM-G998B) AppleWebKit/537.36`. The malware creates registry-like entries under the Android shared preferences key `com.unidentified005.settings` and uses the mutex name `UAPK005_Global_Mutex` to prevent multiple instances.

☠️ Risk & Impact

Unidentified APK 005 causes direct financial losses by intercepting two-factor authentication (2FA) SMS codes and harvesting stored credit card data, with estimated losses of $2.3 million from the March–June 2023 campaigns per a Lookout report. Affected sectors are predominantly retail banking and fintech, with secondary impact on social media credentials used for credential-stuffing attacks.

🛡️ Mitigation

Defenders should deploy Google Play Protect and block installation from unknown sources via MDM policies, while network teams can block C2 domains using threat intel feeds from Zimperium’s zLabs. For detailed YARA rules, refer to the public rule set published by Abuse.ch (abuse.ch/malware/unidentified-apk-005).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.