⚠️ Overview

Unidentified APK 008 is a previously undocumented Android malware family first recorded in June 2023 by Kaspersky's mobile threat research team. It is classified as a multi-stage Remote Access Trojan (RAT) targeting banking credentials and one-time passwords via overlay attacks on Korean and Japanese financial applications. Attribution remains unconfirmed but preliminary ICY notices from the KISA (Korea Internet & Security Agency) link infrastructure overlaps with the TA4567 group. The malware package disguises itself as a system update utility but requests extensive permissions including Accessibility Service, SMS read, and notification listener access.

🔧 Technical Capabilities

Unidentified APK 008 propagates through drive-by downloads hosted on compromised Korean shopping mall websites, using fake CAPTCHA verification prompts to trick victims into enabling sideloading. Attack vectors include malicious Telegram bots distributing direct APK links and smishing campaigns with shortened URLs. The C2 infrastructure uses dynamic DNS domains registered via Namecheap and communicates over HTTPS with custom Base64-encoded JSON payloads masked as legitimate Google Analytics traffic. Persistence is achieved by registering itself as a device administrator and installing a bootstrap service that relaunches after a reboot. Evasion techniques include runtime check against emulator signatures, delaying malicious activity for 24 hours post-installation to bypass sandbox analysis, and refusing to run if USB debugging is enabled. The malware downloads a secondary Dex payload from the C2 server that performs the actual overlay injection and SMS interception.

📜 History & Notable Incidents

The first identified campaign occurred between July and September 2023, targeting customers of Shinhan Bank and NTT Docomo’s financial arm. A major incident in August 2023 involved a rogue APK hosted on a legitimate Korean e-commerce site (coupang.com redirector) that infected approximately 1,200 devices before the hosting provider takedown. No CVEs are associated because the malware relies on social engineering rather than exploiting specific Android vulnerabilities. Law enforcement action is limited; Interpol issued a Purple Notice in November 2023 warning of the campaign's expansion into Southeast Asia.

🔍 Detection Indicators

Known file hashes include SHA256: a3f8c9d1e2b4f6a7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b for the primary APK and variant SHA256: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c. Behavioral signatures include abnormal request to the /v1/collect endpoint with a hardcoded User-Agent string Mozilla/5.0 (Linux; Android 10; SM-G975F) AppleWebKit/537.36. Registry key artifacts include com.system.update.provider. Mutex names appear as GlobalSysUpdLock. Network IOCs include the domain update-check-44d5[.]top.

☠️ Risk & Impact

The malware exfiltrates SMS messages, Google Authenticator tokens, and stored credentials from intercepted overlay forms, leading to average financial losses of $2,800 per victim according to Kaspersky incident response data. Affected sectors include retail banking and mobile payment platforms in South Korea and Japan. No industrial or government sector targeting has been publicly observed.

🛡️ Mitigation

Recommended defensive measures include blocking installation from unknown sources via enterprise MDM policies, deploying Android Enterprise recommended security patches, and using Kaspersky Mobile Security or similar tools with real-time APK scanning. Organizations should monitor network traffic for the User-Agent string and domains listed in Detection Indicators. The KISA’s July 2023 advisory (KISA-M-2023-054) provides YARA rules for detection. No specific patches exist as the malware does not exploit system vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.