Overview
- Zimperium disclosed the malware as a MaaS on Russian-language Telegram, where a bot manages access with subscriptions priced at $200 per week, $500 per month, or $4,500 per year.
- Buyers receive a builder that trojanizes arbitrary APKs and step-by-step templates to craft convincing Google Play landing pages for phishing-based distribution.
- Once installed, the app prompts users to set it as the default SMS handler, unlocking access to SMS, contacts, camera and files and allowing interception of two-factor codes.
- The toolkit supports data theft of messages, call logs, photos and videos, uses overlays to steal banking credentials for institutions such as Alfa, PSB, T-Bank and Sberbank, and enables live audio or video streaming via WebRTC.
- Security vendors warn of heightened risk to enterprises using BYOD, with Malwarebytes reporting its Android product detects the threat and researchers urging stricter app hygiene.