Overview
- The trojan abuses Android Accessibility to log everything shown on screen, letting attackers capture Signal, WhatsApp and Telegram messages after decryption without breaking end‑to‑end encryption.
- It can steal banking credentials via convincing HTML overlays, keylog input, stream the display, and remotely control devices, including blacking out the screen during fraudulent transactions.
- Analyses from MTI Security and ThreatFabric describe an active but small‑scale operation focused on financial institutions, with no evidence of a broad global campaign.
- Delivery has been reported through sideloaded APKs, fake Android update prompts and messaging attachments, while Google says Play Protect has not detected it on Play Store apps.
- Experts cite mixed plaintext/RSA/AES and Matrix Push command‑and‑control to evade detection, along with persistence features like SIM‑change monitoring and uninstall blocking, as CISA warns users to avoid untrusted installs, verify links and QR codes, and restrict Accessibility permissions.