-
Notifications
You must be signed in to change notification settings - Fork 2
Files
/
Copy pathandroid-os-malware-samples.csv
98 lines (98 loc) · 136 KB
/
android-os-malware-samples.csv
1 | id | alias | description | app_programming_languages | number_of_langs | year | in_the_wild | malware_type | malware_tags | malware_family | capabilities | permissions | package_name | folder_hash | virustotal_detections | virustotal_vendors | virustotal_score | total_files | programm_files | total_functions | avg_functions_per_file | total_blanks | total_comments | comment_ratio | SLOCS | effort | estimated_development_time | team_size | avg_cyclomatic_complexity_per_function | mantainability_index | mantainability_index_ranged | url |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2 | Backdoor:AndroidOS/Bootloader-backdoor | Bootloader backdoor, Magisk backdoor | Installs a persistent backdoor binary on android devices with unlocked bootloader via TWRP that runs as system daemon with root permissions and without SELinux restrictions. Based on Magisk source code to inject the magiskinit binary into the boot partition. | Kotlin, Java | 51 | 2021 | ? | Backdoor | Backdoor, Elevated-Privilege-Abuse, Rooting | Magisk | Rooting, Privilege Escalation, Root Check, Reverse Shell, SELinux Policies Injection, Persistance, Access Network State, Foreground Service, Internet, Request Install Packages, Use Biometric, Use Fingerprint, Vibrate, Write External Storage, Reboot | android.permission.ACCESS_NETWORK_STATE, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.REQUEST_INSTALL_PACKAGES, android.permission.USE_BIOMETRIC, android.permission.USE_FINGERPRINT, android.permission.VIBRATE, android.permission.WRITE_EXTERNAL_STORAGE | com.topjohnwu.magisk | eee15cf498c6e5969025b23104838ed643ccd4eab9bc4820520de94e5c3d27e0 | 0 | 50 | 0.000 | 3,700 | ? | ? | ? | 253,961 | 276,768 | 26.675 | 1,037,561 | 3,523.92 | 55.69 | 63.27 | ? | ? | ? | https://github.com/LuigiVampa92/unlocked-bootloader-backdoor-demo |
3 | Downloader:AndroidOS/KevDownloader | KevDownloader | This app downloads and installs a malicious Android app. | Java | 7 | 2018 | ? | Downloader | Downloader, Loader, Backdoor | KevDroid | Download Files, Install Apps, Create Files, Delete Files, Internet, Write External Storage | android.permission.INTERNET, android.permission.WRITE_EXTERNAL_STORAGE | com.fs0c131y.kevdownloader | 2a9a448aaaf7ba1aebff7881fb8279b6dcbb2f5e86b2a21807e74095af962bd9 | 0 | 51 | 0.000 | 19 | 5 | 21 | 4.20 | 89 | 75 | 12.195 | 615 | 1.44 | 2.87 | 0.50 | 1.76 | 90.434 | 52.885 | https://github.com/jay-tang111/KevDownloader |
4 | Dropper:AndroidOS/AndroidTrojanStarter | AndroidTrojanStarter | Starts another application's service and installs busybox and simple suid shell to /system/bin. | Java | 6 | 2016 | ? | Dropper | Dropper, Loader, Rooting, Elevated-Privilege-Abuse, Billing-Fraud | ? | Start Another Apps Service, Persistance, Mount Filesystems, Uninstall Itself, Install Apps, Rooting, Root Check, Access Network State, Call Phone, Send SMS | android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.SEND_SMS | com.example.starter | f9a3c590bf42d54ba6b6c3ef6c171e8cc2aeab1e6a6f6c8e0dcfe6de287e5316 | 4 | 62 | 6.452 | 10 | 1 | 8 | 8.00 | 55 | 13 | 0.849 | 1,532 | 3.76 | 4.13 | 0.91 | 2.38 | 0.657 | 0.384 | https://github.com/androidtrojan1/android-trojan-starter- |
5 | Dropper:AndroidOS/Msf-Payload | Msf-Payload | Connects using SSL to a server and checks if trusted using X509Certificate. It then downloads a metasploit payload and runs it. | Java | 3 | 2021 | ? | Dropper | Dropper, Downloader, Billing-Fraud | ? | Run at Startup, Run in Background, Execute Payload, Periodical Connection With Server, Persistance, Create Files, Write Files, Delete Files, Data Encoding, SSL Connection, X509Certificate, Variable Names Obfuscation, Function Names Obfuscation, Camera, Microphone, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Change Wifi State, Call Phone, Internet, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Set Wallpaper, Wake Lock, Write External Storage, Write Settings | android.hardware.camera, android.hardware.camera.autofocus, android.hardware.microphone, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.CHANGE_WIFI_STATE, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SET_WALLPAPER, android.permission.WAKE_LOCK, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SETTINGS | com.metasploit.stage | b9c73f0f316a6d5ccd2465dcbe51492b5a056221442d07d611f83eb0295e671b | 0 | 62 | 0.000 | 13 | 10 | 31 | 3.10 | 47 | 1 | 0.195 | 514 | 1.19 | 2.67 | 0.45 | 2.61 | 106.483 | 62.271 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/Msf-Payload |
6 | Keylogger:AndroidOS/Android-Keylogger | Android-Keylogger | An app that collets all the typed data of the victim and sends it through an open socket. | Java | 5 | 2021 | Yes | Keylogger | Keylogger, Spyware | ? | Remote Data Exfiltration, Keystrokes Monitoring, Input Capture, Access Network State, Bind Accessibility Service, Internet | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.INTERNET | com.mycompany.try2, com.keylogger | 0f9026e8fb7718323839e25e09b67e06ab59a11331d0723e8e93e1e84eb6d132 | 12 | 59 | 20.339 | 18 | 4 | 13 | 3.25 | 107 | 80 | 18.391 | 435 | 1.00 | 2.50 | 0.40 | 2.31 | 78.832 | 46.101 | https://github.com/shivamsuyal/Android-Keylogger |
7 | Keylogger:AndroidOS/AndroidKeyLogger | AndroidKeyLogger | Logs everything typed on the device and stores it locally. | Java | 9 | 2022 | ? | Keylogger | Keylogger | ? | Local Data Exfiltration, Logging, Keystrokes Monitoring, Input Capture, Bind Accessibility Service | android.permission.BIND_ACCESSIBILITY_SERVICE | com.gpow.androidkeylogger | efc6064be537be88dc2c84572190c8e4157efd1a15e3dc03ddb32a0433c941e1 | 0 | 60 | 0.000 | 24 | 7 | 54 | 7.71 | 178 | 207 | 21.340 | 970 | 2.32 | 3.44 | 0.67 | 1.43 | 98.155 | 57.401 | https://github.com/gokulrajanpillai/AndroidKeyLogger |
8 | Keylogger:AndroidOS/Apps_Keylogger | Apps_Keylogger, Shotdroid, DroidKeylogger | Logs everything typed on the device and stores it locally. | Java | 8 | 2021 | ? | Keylogger | Keylogger, Spyware | LokiBoard | Local Data Exfiltration, Multiple Languages, Keystrokes Monitoring, Input Capture, Bind Input Method, Vibrate | android.permission.BIND_INPUT_METHOD, android.permission.VIBRATE | com.DroidKeylogger.main | ad44169f824bdea6ae6ffb0ee5c250f32ac3e999e420e37c64052da5a3c66e02 | 0 | 60 | 0.000 | 686 | 103 | 1,283 | 12.46 | 3,073 | 19,367 | 55.447 | 34,929 | 100.13 | 14.39 | 6.96 | 2.17 | 72.056 | 42.138 | https://github.com/kp300/shotdroid/tree/master/Apps_Keylogger |
9 | Keylogger:AndroidOS/hackit-keylogger | hackit-keylogger, Hackers Keylogger | Logs everything typed on the device and stores it locally. | Java | 3 | 2021 | ? | Keylogger | Keylogger | ? | Local Data Exfiltration, Keystrokes Monitoring, Input Capture, Bind Input Method, Get Tasks Information | android.permission.BIND_INPUT_METHOD, android.permission.GET_TASKS | hack.hackit.pankaj.keyboardlisten | d93ac708a90fc5d00d4472b91341000804ce6145d6f044581939ac79dc3c7695 | 0 | 60 | 0.000 | 106 | 23 | 242 | 10.52 | 257 | 18 | 0.436 | 4,132 | 10.65 | 6.14 | 1.73 | 1.83 | 88.905 | 51.991 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/hackit-keylogger |
10 | Keylogger:AndroidOS/HakistanKeyLogger | HakistanKeyLogger | A Full featured Android keylogger that stores Touches, Notifications, accounts, and device information and reports its handler via Gmail. | Java | 9 | 2020 | Yes | Keylogger | Botnet, Keylogger, Spyware, Mailfinder | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Send Email, Connectivity Check, Root Check, Device Information, List Installed Apps, Keystrokes Monitoring, Input Capture, Make Toasts, Bind Notification Listener Service, Access Network State, Get Accounts, Internet, Read Contacts, Receive Boot Completed, Write External Storage | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_EXTERNAL_STORAGE | com.hak15tan.hakistankeylogger | 9d0a3ba6cc16bc609ec274e858e93c0cfcba193f6c3bc57d0590d8a27b2c03a8 | 21 | 61 | 34.426 | 37 | 13 | 88 | 6.77 | 601 | 279 | 14.006 | 1,992 | 4.95 | 4.59 | 1.08 | 1.89 | 70.510 | 41.234 | https://github.com/hakistan/HakistanKeylogger |
11 | Keylogger:AndroidOS/Keylogapp | Android Keylogger, keylogapp | Basic keylogger that logs keystrokes and sends them to a remote server. | Java | 12 | 2021 | ? | Keylogger | Botnet, Keylogger, Spyware | ? | Remote Data Exfiltration, Logging, Keystrokes Monitoring, Input Capture, Bind Accessibility Service, Internet | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.INTERNET | com.maemresen.infsec.keylogapp | 7c84d229f567792aa0a49beb247a151c0614c233f1a162f807f30f34d16f2c0b | 0 | 60 | 0.000 | 42 | 16 | 95 | 5.94 | 326 | 254 | 18.663 | 1,361 | 3.32 | 3.94 | 0.84 | 1.41 | 91.972 | 53.785 | https://github.com/maemresen/android-keylogger |
12 | Keylogger:AndroidOS/Lokiboard | Lokiboard | Logs everything typed on the device and stores it locally. | Java | 10 | 2020 | ? | Keylogger | Keylogger, Spyware | LokiBoard | Local Data Exfiltration, Keystrokes Monitoring, Input Capture, Multiple Languages, Bind Input Method, Vibrate | android.permission.BIND_INPUT_METHOD, android.permission.VIBRATE | com.abifog.lokiboard | c6ff617b813196edf51f90ab575afc69a44f33b7d97775e969271c9078314ae1 | 3 | 61 | 4.918 | 656 | 103 | 1,283 | 12.46 | 3,088 | 19,389 | 56.133 | 34,541 | 98.96 | 14.33 | 6.91 | 2.17 | 71.458 | 41.788 | https://github.com/IceWreck/LokiBoard-Android-Keylogger |
13 | Keylogger:AndroidOS/Lokiboard-mod | Lokiboard-mod, Lokiboard | Modded Keylogger with remote reporting via Gmail. | Java | 10 | 2020 | ? | Keylogger | Botnet, Keylogger, Spyware, Mailfinder | LokiBoard | Remote Data Exfiltration, Run at Startup, Send Email, Logging, Keystrokes Monitoring, Input Capture, Device Information, Multiple Languages, Access Network State, Bind Input Method, Foreground Service, Get Accounts, Internet, Receive Boot Completed, Vibrate, Wake Lock | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_INPUT_METHOD, android.permission.FOREGROUND_SERVICE, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.VIBRATE, android.permission.WAKE_LOCK | com.abifog.lokiboard | b52da0349acf7a15716349cda43296a82c3a2877d0df2d714fa5ac0ec4b37240 | 0 | 61 | 0.000 | 653 | 109 | 1,350 | 12.39 | 3,720 | 19,787 | 55.880 | 35,410 | 101.58 | 14.47 | 7.02 | 2.16 | 69.619 | 40.713 | https://github.com/hakistan/Lokiboard-Mod |
14 | Locker:AndroidOS/andr0id_l0cker.MX | android_locker, andr0id_l0cker, testlock | Locks the device and asks for a key to unlock the device. The key is sent to a C2 server, which is compared to the following user inputted tries. | Java | 8 | 2021 | Yes | Locker | Locker, C2, Elevated-Privilege-Abuse | andr0id_l0cker | Lock Device, Check Screen Locked, Activate Admin, Privilege Escalation, Persist on Screen, Uninstall Itself, Create Files, Write Files, Connectivity Check, Run at Startup, Device Information, Media Player, Access Network State, Bind Device Admin, Disable Keyguard, Get Tasks, Internet, Kill Background Process, Read Phone State, Receive Boot Completed, System Alert Window, Wake Lock, Write External Storage | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.DISABLE_KEYGUARD, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.KILL_BACKGROUND_PROCESSES, android.permission.READ_PHONE_STATE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.example.testlock | 8ff18d55ba3b254a83ad118a68db9000c70bdcb21ff0b12c9088fd9af221f244 | 33 | 61 | 54.098 | 47 | 4 | 62 | 15.50 | 571 | 535 | 21.146 | 2,530 | 6.36 | 5.05 | 1.26 | 1.66 | 86.524 | 50.599 | https://github.com/ytisf/theZoo/tree/master/malware/Source/Original/andr0id_l0cker |
15 | Locker:AndroidOS/andr0id_l0cker.US | android_locker, andr0id_l0cker, testlock | Locks the device and asks for a key to unlock the device. The key is sent to a C2 server, which is compared to the following user inputted tries. | Java | 8 | 2021 | Yes | Locker | Locker, C2, Elevated-Privilege-Abuse | andr0id_l0cker | Lock Device, Check Screen Locked, Activate Admin, Privilege Escalation, Persist on Screen, Uninstall Itself, Create Files, Write Files, Connectivity Check, Run at Startup, Device Information, Media Player, Access Network State, Bind Device Admin, Disable Keyguard, Get Tasks, Internet, Kill Background Process, Read Phone State, Receive Boot Completed, System Alert Window, Wake Lock, Write External Storage | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.DISABLE_KEYGUARD, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.KILL_BACKGROUND_PROCESSES, android.permission.READ_PHONE_STATE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.example.testlock | 8201ed6d0199829a468bb344849f246cec33d85e17267625528e116c297b497a | 32 | 61 | 52.459 | 48 | 4 | 62 | 15.50 | 652 | 535 | 14.907 | 3,589 | 9.18 | 5.81 | 1.58 | 1.65 | 85.220 | 49.836 | https://github.com/ytisf/theZoo/tree/master/malware/Source/Original/andr0id_l0cker |
16 | Locker:AndroidOS/EvilScreen | EvilScreen | An app which attempts to prevent the victim from using the device. | Kotlin | 9 | 2021 | ? | Locker | Locker | ? | Lock Device, Check Screen Locked, Persist on Screen, Overlay, Draw Over Other Apps, Schedule Tasks, Icon Hiding, Stealth, System Alert Window | android.permission.SYSTEM_ALERT_WINDOW | com.evilthreads | 786bfe38a5a43bd1fddd01345a39a3b2eb444cbb39c3b29eb442b61b353383b8 | 0 | 61 | 0.000 | 35 | ? | ? | ? | 183 | 515 | 51.142 | 1,007 | 2.42 | 3.50 | 0.69 | ? | ? | ? | https://github.com/evilthreads669966/EvilScreen |
17 | Locker:AndroidOS/Lockscreen | android_locker, lockscreen | Locks the device during a specified time. It can be unlocked with a password. | Java | 10 | 2018 | ? | Locker | Locker, Overlay, Elevated-Privilege-Abuse | ? | Lock Device, Check Admin, Activate Admin, Privilege Escalation, Schedule Tasks, Overlay, Draw Over Other Apps, Persist on Screen, Create Files, Alarm, Make Toasts, Run at Startup, Access Network State, Bind Device Admin, Disable Keyguard, Get Tasks, Internet, Read Phone State, Receive Boot Completed, System Alert Window, System Overlay Window, Wake Lock, Write External Storage | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.DISABLE_KEYGUARD, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.PHONE_STATE_STATE, android.permission.READ_PHONE_STATE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.SYSTEM_ALERT_WINDOW, android.permission.SYSTEM_OVERLAY_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.dev.joks.lockscreen | 3367195a01b9011c5fa4c45ba83502b42e9c1f32908dad39278f452d70b3b1f9 | 0 | 61 | 0.000 | 85 | 13 | 85 | 6.54 | 310 | 138 | 2.419 | 5,706 | 14.94 | 6.99 | 2.14 | 1.79 | 83.067 | 48.577 | https://github.com/ProvisionLab/Android_Locker |
18 | Password-Stealing-Ware:AndroidOS/Password_Sniffer | Password_Sniffer | Android hacking widget which runs in the background to demonstrate credential sniffing on a primitive android login app. | Java | 8 | 2017 | ? | Password-Stealing-Ware | Spyware, Password-Stealing-Ware | ? | Local Data Exfiltration, Credential Theft, Run in Background | - | com.example.hackapp | 09700e16935f0696ca0f688821a26fb19fefb4a1904013d0b85c7c7ecba69200 | 0 | 59 | 0.000 | 41 | 9 | 23 | 2.56 | 111 | 120 | 17.366 | 691 | 1.63 | 3.01 | 0.54 | 1.52 | 113.455 | 66.348 | https://github.com/shivenchawla/Password_Sniffer |
19 | Phishing:AndroidOS/AndroidMalwareDemo | AndroidMalwareDemo | Android phishing app which injects a fake login view into a target application when opened and steals user credentials. | Java | 9 | 2020 | ? | Phishing | Phishing, Trojan, Password-Stealing-Ware | ? | Local Data Exfiltration, Credential Theft, Draw Over other Apps, Run at Startup, Run in Background, Get Tasks, Package Usage Stats, Receive Boot Completed, System Alert Window | android.permission.GET_TASKS, android.permission.PACKAGE_USAGE_STATS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.SYSTEM_ALERT_WINDOW | app.mordred.androidmalwaredemo | 63b347fe9168056847ee37f633609d4c390d372e33b406351efc9a6882252b8a | 0 | 60 | 0.000 | 29 | 7 | 46 | 6.57 | 150 | 80 | 7.333 | 1,091 | 2.63 | 3.61 | 0.73 | 1.72 | 85.823 | 50.189 | https://github.com/sirmordred/AndroidMalwareDemo |
20 | Phishing:AndroidOS/InstaBrowser | InstaBrowser | Android phishing app emulating a legitimate app that sends user credentials via mail. | Java | 10 | 2021 | ? | Phishing | Phishing, Trojan, Spyware, Password-Stealing-Ware | ? | Remote Data Exfiiltration, Credential Theft, Send Email, Device Information, Internet | android.permission.INTERNET | com.ariashirazi.instabrowser | aee7db7ff9a9a15bd7c72b86180ba47202a58ab7af8d59d77457101bc39745a9 | 0 | 60 | 0.000 | 31 | 4 | 19 | 4.75 | 202 | 70 | 8.206 | 853 | 2.03 | 3.27 | 0.62 | 1.79 | 99.894 | 58.418 | https://github.com/ariashirazi/InstaBrowser |
21 | Phishing:AndroidOS/PhishingApp | Phishing mobile app | Phishing app that sends user email, password and device information. | Java | 16 | 2021 | ? | Phishing | Phishing, Spyware, Password-Stealing-Ware | ? | Remote Data Exfiiltration, Credential Theft, Device Information, Internet, Access Network State, Access Wifi State, System Alert Window | android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.INTERNET, android.permission.SYSTEM_ALERT_WINDOW | com.phishingapp | f2fb0b869019c3148a900dea17fcf686bd1768273171f8803a72d0aebcf23b44 | 0 | 61 | 0.000 | 65 | 8 | 34 | 4.25 | 215 | 290 | 1.660 | 17,475 | 48.39 | 10.92 | 4.43 | 1.68 | 57.829 | 33.818 | https://github.com/ivan-sincek/phishing-mobile-app |
22 | Ransomware:AndroidOS/AndroMalware | AndroMalware Ransomware | Ransomware able to encrypt and decrypt files using AES and exfiltrate Device Information, SMS and location via SMS. | Java | 2 | 2014 | Yes | Ransomware | Encryption-Ransomware, Trojan, Billing-Fraud, Spyware | ? | Sandbox Aware, File Encryption, File Decryption, Remote Data Exfiltration, Device Information, Access Coarse Location, Access Fine Location, Broadcast SMS, Internet, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.BROADCAST_SMS, android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.WRITE_EXTERNAL_STORAGE | android.malware.ransonware | d2089b6f255c73c8131e647e36b4dc1d25d3ce56ceb2d94fef917473f1322f98 | 17 | 61 | 27.869 | 21 | 14 | 40 | 2.86 | 131 | 24 | 4.089 | 587 | 1.37 | 2.82 | 0.49 | 1.58 | 102.795 | 60.114 | https://github.com/CCrashBandicot/AndroMalware |
23 | Ransomware:AndroidOS/Covid19_Ransomware | Covid19_Ransomware | Fake Coronavirus Tracking app that locks the device with a Ransomware note. | Java | 4 | 2021 | Yes | Ransomware | Screen-Locking-Ransomware, Locker, Trojan, Elevated-Privilege-Abuse | CoronaLocker | Lock Device, Activate Admin, Privilege Escalation, Persist on Screen, Run at Startup, Run in Background, Icon Hiding, Stealth, Variable Names Obfuscation, Function Names Obfuscation, Enforce Password Policy, Creates New Admin, Bind Accessibility Service, Bind Device Admin, Foreground Service, Receive Boot Completed, Request Ignore Battery Optimization | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_DEVICE_ADMIN, android.permission.FOREGROUND_SERVICE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | com.device.security | 553c9f12a4e4df2f35d198b6f1c055bf4afec9d9b15c02fe6eac7cfe462b0a3d | 0 | 59 | 0.000 | 40 | 30 | 211 | 7.03 | 291 | 41 | 1.086 | 3,777 | 9.69 | 5.93 | 1.63 | 1.64 | 92.753 | 54.242 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/Covid19_Ransomware |
24 | Ransomware:AndroidOS/Covid-Locker | Covid-Locker, CoronaLocker, AppLocker, CovidLock, Coronavirus Tracker, Coronavirusapp | Fake Coronavirus Tracking app that locks the device with a Ransomware note. | Java | 3 | 2021 | Yes | Ransomware | Screen-Locking-Ransomware, Locker, Trojan, Elevated-Privilege-Abuse | CoronaLocker | Lock Device, Activate Admin, Privilege Escalation, Persist on Screen, Run at Startup, Run in Background, Icon Hiding, Stealth, Variable Names Obfuscation, Function Names Obfuscation, Enforce Password Policy, Creates New Admin, Bind Accessibility Service, Bind Device Admin, Foreground Service, Receive Boot Completed, Request Ignore Battery Optimization | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_DEVICE_ADMIN, android.permission.FOREGROUND_SERVICE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | com.device.security | a393a4af91168d9f20950930462286538203e518ef731682a9b3cdb1236dd503 | 16 | 61 | 26.230 | 992 | 637 | 5,846 | 9.18 | 9,241 | 4,087 | 6.320 | 64,668 | 191.18 | 18.40 | 10.39 | 1.87 | 106.611 | 62.346 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/Covid-Locker |
25 | Ransomware:AndroidOS/SARA | SARA, S4R4 | Framework for building custom Ransomware apps. | Python | 3 | 2022 | Yes | Ransomware | Screen-Locking-Ransomware, Locker, Trojan | ? | Lock Device, Persist on Screen, Run at Startup, System Alert Window, Receive Boot Completed, Read External Storage, Write External Storage, Read Contacts, Read SMS, Access Fine Location, Wake Lock, Internet, Request Install Package, Camera | android.permission.SYSTEM_ALERT_WINDOW, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.SET_WALLPAPER, android.permission.READ_EXTERNAL_STORAGE, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.READ_CONTACTS, android.permission.READ_SMS, android.permission.ACCESS_FINE_LOCATION, android.permission.WAKE_LOCK, android.permission.INTERNET, android.permission.REQUEST_INSTALL_PACKAGE, android.permission.CAMERA | com.termuxhackers.id | 1a28f2f10fc856b42581c95caf35ac2e33383e4e8c3d9a7b8b771443dace3027 | 23 | 61 | 37.705 | 3 | 1 | 4 | 4.00 | 15 | 4 | 1.951 | 205 | 0.45 | 1.85 | 0.25 | 6.00 | ? | ? | https://github.com/termuxhackers-id/SARA |
26 | RAT:AndroidOS/Adobot | Adobot | Spyware app that connects to a C2 and receives commands to monitor and retrieve information from the device, such as SMS, location, contacts... | Java | 9 | 2019 | Yes | RAT | Spyware, Botnet, C2, RAT, Backdoor, Billing-Fraud | AdoBot | Remote Data Exfiltration, Icon Hiding, Stealth, Update App, Install Apps, Run in Background, Bot, Run at Startup, Device Information, Bind Job Service, Access Coarse Location, Access Fine Location, Access Network State, Internet, Process Outgoing Calls, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Write External Storage | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_JOB_SERVICE, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE | com.android.adobot | 7b88e7c32f9f14d7de3ab8d2a50905584779bc535ced3899252c7a23918e19bd | 0 | 59 | 0.000 | 52 | 23 | 200 | 8.70 | 707 | 299 | 10.156 | 2,944 | 7.46 | 5.36 | 1.39 | 1.68 | 74.435 | 43.529 | https://github.com/adonespitogo/AdoBot |
27 | RAT:AndroidOS/AhMyth | AhMyth | Connects to the server in time intervals and reads call logs, contacts, location, records audio, takes pictures, gets and sends SMS, lists files and uploads files to server. | Java | 29 | 2020 | Yes | RAT | Spyware, C2, RAT, Botnet, Billing-Fraud, Backdoor | AhMyth | Remote Data Exfiltration, Run at Startup, Run in Background, Periodical Connection With Server, Bot, Icon Hiding, Stealth, Create Files, Upload Files, List Files, Device Information, Camera, Access Fine Location, Access Network State, Internet, Modify Audio Settings, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Send SMS, Receive Boot Completed, Record Audio, Wake Lock | android.hardware.camera, android.hardware.camera.autofocus, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CAMERA, android.permission.INTERNET, android.permission.MODIFY_AUDIO_SETTINGS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | ahmyth.mine.king.ahmyth | 3e5c7c3ce0a1d1f6475dc9b2fd60c769ad798880b1c40bd3e6fe7cb610418d33 | 1 | 32 | 3.125 | 6,024 | 17 | 71 | 4.18 | 110,972 | 119,575 | 15.700 | 761,610 | 2,547.01 | 49.23 | 51.74 | 2.20 | 90.044 | 52.657 | https://github.com/AhMyth/AhMyth-Android-RAT |
28 | RAT:AndroidOS/AndroidClient | AndroidClient | A client-based remote administration tool to be used for communication via SSL with a server web-interface to send call logs, SMS, location, contacts, audio, camera, image files, browser bookmarks, open a URL, etc. through commands. | Java | 10 | 2018 | ? | RAT | RAT, Backdoor, Spyware, Botnet, C2, Downloader, Wiper, Billing-Fraud | ? | Remote Data Exfiltration, Bot, Run in Background, Run at Startup, Data Encryption, Data Decryption, Compress Files, Decompress Files, Uninstall Itself, File Integrity Check, Root Check, List Installed Apps, Clipboard, List Files, Upload Files, Delete Files, Download Files, Open URL, Browser Bookmarks, Device Information, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Camera, Capture Voice Call, Change Wifi State, Delete Packages, Internet, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, Storage, Write Call Log | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.CAMERA, android.permission.CAPTURE_VOICE_CALL, android.permission.CHANGE_WIFI_STATE, android.permission.DELETE_PACKAGES , android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.STORAGE, android.permission.WRITE_CALL_LOG, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SMS | com.revcode.client | 53041af121900889a6c0af0b41e4a7d521c0cf308fecf192483f42efafc1cf24 | 1 | 60 | 1.667 | 241 | 23 | 165 | 7.17 | 959 | 4,976 | 24.971 | 19,927 | 55.54 | 11.51 | 4.83 | 3.04 | 63.511 | 37.141 | https://github.com/rev-code/androidclient |
29 | RAT:AndroidOS/AndroidMalwareExample | Android Malware Example | Connects to a C2 Server through SSL and receives commands to execute several features, like Ransomware, Data Exfiltration (Network/Device/Bluettoth inforamtion, Accounts, Contacts, Call Logs, SMS, System Logs, GPS, Audio, Files, Browser History, etc.), Send SMS, Configure a delay to check back with the server. | Java | 9 | 2016 | ? | RAT | Spyware, C2, Botnet, Encryption-Ransomware, RAT, Backdoor, Downloader, Mailfinder, Elevated-Privilege-Abuse, Billing-Fraud | ? | Remote Data Exfiltration, Activate Admin, Privilege Escalation, Periodical Connection With Server, List Installed Apps, Remote Key, File Encryption, File Decryption, Compress Files , Decompress Files, Download Files, List Files, Upload Files, Copy Files, SSL Communication, Run at Startup, Run in Background, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Access Change Wifi State, Bluetooth, Bluetooth Admin, Camera, Get Accounts, Internet, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read History Bookmarks, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, SMS Received | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BLUETOOTH, android.permission.BLUETOOTH_ADMIN, android.permission.CAMERA, android.permission.CHANGE_WIFI_STATE, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_HISTORY_BOOKMARKS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SMS_RECEIVED, android.permission.WRITE_EXTERNAL_STORAGE | com.burke_consulting.malwareexample | 6925cfdaf20a81be7ea864aff87c16ac9a823e02f5e653ad4af321ac75d432a1 | 0 | 60 | 0.000 | 58 | 35 | 232 | 6.63 | 1,143 | 1,244 | 30.364 | 4,097 | 10.55 | 6.12 | 1.72 | 2.81 | 96.560 | 56.468 | https://github.com/darrylburke/AndroidMalwareExample |
30 | RAT:AndroidOS/AndroidR.A.T | Android R.A.T Client | App that connects to a server and receives commands to exfiltrates audio, location coordinates, call log, battery information, list of installed apps, contacts (can also add new ones), calendar events (can also add new ones, delete and modify existing ones), takes pictures and videos, get and send SMS, perform operations on files (upload, download, move, copy, delete...) | Java | 5 | 2017 | ? | RAT | Spyware, C2, Botnet, Downloader, RAT, Billing-Fraud, Backdoor | ? | Remote Data Exfiltration, Bot, List Files, Copy Files, Move Files, Delete Files, Rename Files, Paste Files, Download Files, Upload Files, List Installed Apps, Icon Hiding, Stealth, Device Information, Access Coarse Location, Access Fine Location, Access Network State, Camera, Change Network State, Internet, Read Calendar, Write Calendar, Read Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read SMS, Send SMS, Record Audio | android.hardware.camera, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CAMERA, android.permission.CHANGE_NETWORK_STATE, android.permission.INTERNET, android.permission.READ_CALENDAR, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WRITE_CALENDAR, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE | com.dev.ah10.androidratclient | 04d1cddd5ceb8dc3446d11042707767625d5c7eadb8396661702263aec46256f | 0 | 33 | 0.000 | 26 | 15 | 90 | 6.00 | 328 | 96 | 4.956 | 1,937 | 4.81 | 4.54 | 1.06 | 2.96 | 54.486 | 31.863 | https://github.com/AdvancedHacker101/android-R.A.T-Client |
31 | RAT:AndroidOS/AndroidSpyApp | Adroid Spy App, Hawkshaw | Android spy app, which uploads user data such as contacts, messages, call log, send messages, photos, videos, files, open a browser link, lock the device, encrypt/decrypt files, etc. | Kotlin, Java | 10 | 2020 | Yes | RAT | Spyware, Botnet, C2, RAT, Trojan, Downloader, Keylogger, Locker, Wiper, Backdoor, Encryption-Ransomware, Billing-Fraud | Hawkshaw | Remote Data Exfiltration, Icon Hiding, Stealth, Run in Background, Run at Startup, Bot, Install Apps, List Files, Upload Files, Download Files, Open Apps, Open URLs, Remote Shell, File Encryption, File Decryption, Change Password, Lock Device, Force Reboot, Wipe Data, Instagram, WhatsApp, Tinder, Snapchat, Device Information, Keystrokes Monitoring, Input Capture, Record Screen, Set Alarm, Browser History, Camera, Access Coarse Location, Access Fine Location, Access Network State, Bind Notification Listener Service, Call Phone, Flashlight, Internet, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Send SMS, Receive Boot Completed, Record Audio, System Alert Window, Wake Lock | android.hardware.camera2.full, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.FLASHLIGHT, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE | me.hawkshaw | 779f5133861f67249f09e7ba6c46604a939c9a829b1255782e72239d08a958da | 0 | 62 | 0.000 | 54 | ? | ? | ? | 690 | 313 | 11.287 | 2,773 | 7.00 | 5.24 | 1.34 | ? | ? | ? | https://github.com/abhinavsuthar/Android_Spy_App |
32 | RAT:AndroidOS/AndroidSurveilance | AndroidSurveilance | Android Surveilance Tool, which works like an HTTP Shell to receive and execute commands (lock the device, wipe data, open a root shell, etc.) and send data to the server (including files, screenshots, installled apps, audio, photos, etc.) | Java | 9 | 2013 | ? | RAT | Spyware, Botnet, C2, Rooting, RAT, Backdoor, Downloader, Dropper, Locker, Wiper, Backdoor, Mailfinder, Elevated-Privilege-Abuse | ? | Rooting, Activate Admin, Privilege Escalation, Root Check, Remote Data Exfiltration, Bot, Install Apps, Run in Background, Run at Startup, Root Shell, Lock Device, List Files, Upload Files, Download Files, Wipe Data, Delete Keys, Mount Filesystems, Unmount Filesystems, ADB Enabled, Compress Files, Decompress Files, Device Information, Screenshot, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Access Superuser, Bind Device Admin, Bind Input Method, Camera, Diagnostic, Get Accounts, Internet, Persistent Activity, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Receive Boot Completed, Record Audio, Write Secure Settings, Write Settings, Read History Bookmarks | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_SUPERUSER, android.permission.ACCESS_WIFI_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.BIND_INPUT_METHOD, android.permission.CAMERA, android.permission.DIAGNOSTIC, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.PERSISTENT_ACTIVITY, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.android.classic | e5b823be2600bd192a3dad3639f987535f53ef3fc5a86f3fb8a25dc3007995a7 | 0 | 61 | 0.000 | 207 | 25 | 178 | 7.12 | 8,173 | 20,711 | 72.194 | 28,688 | 81.43 | 13.31 | 6.12 | 2.62 | 88.192 | 51.574 | https://github.com/amartinz/AndroidSurveilance |
33 | RAT:AndroidOS/Android_Trojan | Android_Trojan | Periodically connects to the server, syncs files and can perform many operations: track location, change wifi state, make calls, check connection, receive and execute commands, record audio, record and register calls, upload pictures taken, list and upload files, execute a remote and root shell, check if online, read and send SMS, take pictures, read call logs, download files, get device information, get bookmarks and history, get contacts, take screenshot | Java | 4 | 2016 | ? | RAT | Spyware, C2, Botnet, Backdoor, Downloader, RAT, Elevated-Privilege-Abuse, Billing-Fraud | AndroidTrojan | Remote Data Exfiltration, Run at Startup, Run in Background, Open URL, Stealth, Check Screen Locked, Periodical Connection With Server, Bot, Remote Shell, Root Shell, Create Files, Delete Files, Upload Files, Download Files, List Files, Icon Hiding, Change Wifi State, Persistance, Device Information, Screenshot, Access Fine Location, Access Network State, Call Phone, Camera, Internet, Process Outgoing Calls, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Wake Lock, Write Secure Settings, Write Settings, Read History Bookmarks | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.example.trojan | 2268eec422718a5caac769a51cf1fcb0536729d7aaa0607570a590937d101f61 | 0 | 60 | 0.000 | 15 | 12 | 86 | 7.17 | 394 | 107 | 5.784 | 1,850 | 4.58 | 4.46 | 1.03 | 3.36 | 53.444 | 31.254 | https://github.com/androidtrojan1/android_trojan |
34 | RAT:AndroidOS/AndroidTrojan-JAVA | AndroidTrojan-JAVA | Records all phone calls and uploads them every 3 hours, sends a copy of incoming SMS, periodically checks for commands, download files, open a shell (root shell if available), forces reboot, takes a photo, gets location, device information, call logs, bookmarks, browser history, etc. | Java | 4 | 2016 | ? | RAT | Spyware, Trojan, Botnet, RAT, C2, Backdoor, Downloader, Wiper, Elevated-Privilege-Abuse, Billing-Fraud | AndroidTrojan | Remote Data Exfiltration, Force Reboot, Remote Shell, Root Shell, Periodical Connection With Server, Upload Files, Download Files, Delete Files, Bot, Icon Hiding, Stealth, Screenshot, Persistance, Install as Root, Root Check, Run at Startup, Run in Background, Device Information, Access Fine Location, Access Coarse Location, Access Network State, Call Phone, Camera, Internet, Process Outgoing calls, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Wake Lock, Write Secure Settings, Write Settings, Read History Bookmarks | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.example.trojan | 65cb2bce9fbe5c65f1c1a565a041347377efe961fad0c75273f5f61ccfcb2595 | 0 | 50 | 0.000 | 15 | 12 | 86 | 7.17 | 394 | 107 | 5.784 | 1,850 | 4.58 | 4.46 | 1.03 | 3.36 | 53.444 | 31.254 | https://github.com/Soldie/android_trojan-JAVA |
35 | RAT:AndroidOS/AndroidTrojanService | AndroidTrojanService | Records all phone calls and uploads them every 3 hours, sends a copy of incoming SMS, periodically checks for commands, download files, open a shell (root shell if available), forces reboot, forces full factory format, alerts via telegram, takes a photo, gets location, device information, call logs, bookmarks, browser history, etc. | Java | 5 | 2016 | Yes | RAT | Spyware, Trojan, Botnet, RAT, C2, Backdoor, Downloader, Wiper, Elevated-Privilege-Abuse, Billing-Fraud | ? | Remote Data Exfiltration, Telegram Alerts, Factory Format, Force Reboot, Remote Shell, Root Shell, Periodical Connection With Server, Upload Files, Download Files, Delete Files, Bot, Icon Hiding, Stealth, Screenshot, Persistance, Install as Root, Root Check, Run at Startup, Run in Background, Device Information, Access Fine Location, Access Network State, Call Phone, Camera, Internet, Process Outgoing Calls, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Wake Lock, Write Secure Settings, Write Settings, Read History Bookmarks | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.example.test | da0e5b4f9f47f6c6272b2600bf0196c6d2d425adae4d574b191a653930442368 | 13 | 61 | 21.311 | 18 | 11 | 67 | 6.09 | 343 | 44 | 2.503 | 1,758 | 4.34 | 4.37 | 0.99 | 3.96 | 47.701 | 27.895 | https://github.com/androidtrojan1/android-trojan-service- |
36 | RAT:AndroidOS/AndroRAT | AndroRat | Application that receives commands from a server to get live GPS coordinates, audio stream, call logs, contacts, device information, video stream, files, take pictures, list directories, monitor live calls, perform toasts, send and get SMS, monitor SMS, make calls, set preferences, download files, open browser, vibrate and disconnect. The connection can be started when a specific SMS or call is received. | Java | 6 | 2012 | Yes | RAT | Spyware, C2, Botnet, RAT, Downloader, Billing-Fraud, Backdoor | AndroRAT | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Connectivity Check, List Files, Upload Files, Download Files, Open URLs, Make Toasts, Device Information, Access Fine Location, Access Network State, Call Phone, Camera, Internet, Process Outgoing Calls, Read Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Vibrate, Write External Storage | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.VIBRATE, android.permission.WRITE_EXTERNAL_STORAGE | my.app.client | 5595cd67fd6987951ea054ce8be0fb5528e328755b85457e938cb2a2cd003399 | 33 | 62 | 53.226 | 122 | 97 | 890 | 9.18 | 2,520 | 958 | 8.758 | 10,938 | 29.59 | 9.06 | 3.27 | 1.77 | 78.957 | 46.174 | https://github.com/DesignativeDave/androrat |
37 | RAT:AndroidOS/AndroSpy | AndroSpy, Vadisi | It binds as admin and sends information to a server through a socket connection. It streams audio, calls and video, screen stream, takes pictures, interact with files (upload, download, move, write, check, copy, read, create, lists, rename and delete), opens apps, uninstalls apps, lists installed apps, gets and sets clipboard, monitors keystrokes, executes shell commands (as root if needed), installs app shortcut, opens a URL, sends device information, enable/disable bluetooth, enable/disable wifi, sends GPS coordinates, gets, intercepts and sends SMS, gets and modifies call log, makes call, sends and modifies (add and delete) contacts, etc. | C# | 8 | 2021 | ? | RAT | Spyware, C2, Botnet, RAT, Backdoor, Downloader, Keylogger, Elevated-Privilege-Abuse, Billing-Fraud | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Read Files, Create Files, Check Files, Rename Files, Move Files, Copy Files, Write Files, Delete Files, List Files, Upload Files, Download Files, Keystrokes Monitoring, Input Capture, Icon Hiding, Stealth, List Installed Apps, Open Apps, Activate Admin, Privilege Escalation, Doze Mode, Media Player, Remote Shell, Root Shell, Root Check, Open URL, Connectivity Check, Uninstall Apps, Set Alarm, Check Screen Locked, Clipboard, Periodical Connection With Server, Persistance, Screen Stream, Data Encoding, Data Decoding, Compress Files, Decompress Files, Make Notifications, Make Toasts, Device Information, Volume, Brightness, Access Coarse Location, Access Fine Location, Access Location Extra Commands, Access Mock Location, Access Network State, Access Wifi State, Battery Stats, Bind Device Admin, Bluetooth, Bluetooth Admin, Call Phone, Camera, Capture Audio Output, Change Wifi State, Delete Packages, Flashlight, Foreground Service, Internet, Modify Audio Settings, Process Outgoing Calls, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, Request Delete Packages, Request Ignore Battery Optimizations, Set Wallpaper, System Alert Windows, Vibrate, Wake Lock, Write Secure Settings, Write Settings, Install Shortcut | android.accessibilityservice.AccessibilityService, android.hardware.camera, android.hardware.camera.autofocus, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_LOCATION_EXTRA_COMMANDS, android.permission.ACCESS_MOCK_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BATTERY_STATS, android.permission.BIND_DEVICE_ADMIN, android.permission.BLUETOOTH, android.permission.BLUETOOTH_ADMIN, android.permission.BROADCAST_SMS, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.CAPTURE_AUDIO_OUTPUT, android.permission.CHANGE_WIFI_STATE, android.permission.DELETE_PACKAGES, android.permission.FLASHLIGHT, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.MODIFY_AUDIO_SETTINGS, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.REQUEST_DELETE_PACKAGES, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_SMS, android.permission.SET_WALLPAPER, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, android.permission.WRITE_SMS, android.provider.Telephony.READ_SMS, com.android.launcher.permission.INSTALL_SHORTCUT | com.kurtlar.vadisi | 41ead5b14170415af357df08550857e828cbd36d8c0f52ce702033b834aed444 | 2 | 62 | 3.226 | 150 | 96 | 661 | 6.89 | 6,346 | 6,124 | 5.348 | 114,505 | 348.32 | 23.11 | 15.07 | 3.97 | ? | ? | https://github.com/qH0sT/AndroSpy |
38 | RAT:AndroidOS/Arbitrium | Arbitrium | Cordova developed app that turns a phone into a proxy, runs received commands in the background and sends their output to the server. It also allows downloading scripts for their execution. | Java | 20 | 2021 | ? | RAT | Spyware, Proxy, Backdoor, Downloader, Botnet, RAT, Wiper | ? | Remote Data Exfiltration, Bot, Remote Shell, HTTP forwarding, Reverse Connection, Unlock Device, Wake Up Device, Read Files, Upload Files, Create Files, List Files, Copy Files, Modify Files, Delete Files, Download Files, Recent Task List Hiding, Persistance, Run at Startup, Run in Background, Device Information, Foreground Service, Internet, Receive Boot Completed, Request Ignore Battery Optimizations, Wake Lock, Write External Storage | android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | net.orange.bolt | 578e0d47cf533b4f5f35d8b9f8c5cec48bce17cbc086759b6211449b93d4e5f3 | 0 | 54 | 0.000 | 2,467 | 90 | 875 | 9.72 | 23,713 | 43,778 | 35.697 | 122,639 | 374.34 | 23.76 | 15.76 | 2.65 | 76.925 | 44.985 | https://github.com/amonsat/Arbitrium-Android |
39 | RAT:AndroidOS/BetterAndroRAT | BetterAndroRAT, AdobeFlash13 | App that decodes a URL to connect to the server and sends information. The service starts when the screen is off. It can take pictures, get location, device information, browser history and bookmarks, installed apps, call history, SMS, contacts, accounts, record audio and video. It can also download files, update itself, uninstall itself, delete files, call a phone number, delete a specific call logs, perform HTTP Flood, transfer the bot, open apps, intercept, delete and block SMS, etc. | Java | 12 | 2016 | ? | RAT | Spyware, C2, Botnet, RAT, DoS, Downloader, Mailfinder, Billing-Fraud, Backdoor | Dendroid | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Bot Transfer, Periodical Connection With Server, Stealth, HTTP Flood, Check Screen Locked, Turn Screen On, Obfuscation, Modify Volume, Data Decoding, Device Information, List Installed Apps, Alert, Open URL, Open Apps, Dialogs, Connectivity Check, Create Files, Delete Files, Download Files, Upload Files, Update App, Install Apps, Uninstall Itself, Camera, Microphone, Access Fine Location, Access Network State, Call Phone, Get Accounts, Get Tasks, Internet, Process Outgoing Calls, Quickboot Poweron, Read Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, Wake Lock, Write External Storage, Write Settings, Read History Bookmarks | android.hardware.camera, android.hardware.camera.autofocus, android.hardware.camera.front, android.hardware.microphone, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.GET_ACCOUNTS, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.QUICKBOOT_POWERON, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SETTINGS, android.permission.WRITE_SMS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.adobe.flash13 | da4e5ce66722f755ee8305fa3832b99e6efac1151b950ff3a8e7ae26f4896997 | 0 | 59 | 0.000 | 86 | 10 | 262 | 26.20 | 2,056 | 1,290 | 7.666 | 16,827 | 46.51 | 10.75 | 4.32 | 2.50 | 54.306 | 31.758 | https://github.com/mwsrc/BetterAndroRAT |
40 | RAT:AndroidOS/ChatApp | Advanced-Android-Rat-Client, chatapp | An Android app which runs in background and sends data (Device Info, SMS, Accounts, Contacts, Call logs, audio) to a RAT server and allows listing and uploading files through commands. | Java | 8 | 2020 | ? | RAT | RAT, Backdoor, Trojan, Spyware, Botnet, C2, Mailfinder | ? | Remote Data Exfiltration, Persistance, Bot, Icon Hiding, Stealth, Run at Startup, Run in Background, List Files, Upload Files, Device Information, Bind Job Service, Foreground Service, Get Accounts, Internet, Read Call Log, Read Contacts, Read External Storage, Read Profile, Read SMS, Receive Boot Completed, Receive Launch Broadcast, Record Audio, Wake Lock | android.permission.BIND_JOB_SERVICE, android.permission.FOREGROUND_SERVICE, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PROFILE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_LAUNCH_BROADCASTS, android.permission.RECORD_AUDIO, android.permission.Tele, android.permission.WAKE_LOCK | com.example.chatapp | b48780baca111e5d0148095decb80675004ecf545578fdf2f57fd14e039c7a82 | 0 | 60 | 0.000 | 73 | 32 | 164 | 5.13 | 539 | 233 | 7.835 | 2,974 | 7.54 | 5.39 | 1.40 | 1.64 | 88.016 | 51.471 | https://github.com/diptomondal007/Advanced-Android-Rat-Client |
41 | RAT:AndroidOS/Dendroid | Dendroid, Dendriod, Droidian | App that decodes a URL and password used to connect to the server and sends information: device information, installed apps, browser history and bookmarks, recorded calls, contacts, pictures, call history, SMS, accounts, GPS coordinates, and recorded audio and video. It also can download files and update itself by downloading and installing an updated APK, uninstall apps, modify volume, call, modify call log, turn screen on, open url, upload and delete files, delete SMS, change directory, http flood, open apps, transfer bot, and block or intercept SMS. | Java | 11 | 2014 | Yes | RAT | Spyware, C2, Botnet, RAT, Backdoor, Downloader, DoS, Mailfinder, Billing-Fraud | Dendroid | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Bot Transfer, Turn Screen On, Volume, Periodical Connection With Server, Create Files, Delete Files, Download Files, Upload Files, List Installed Apps, Open Apps, Dialogs, Change Directory, Update App, Uninstall Apps, Open URL, Alert, Persistance, Check Screen Locked, HTTP Flood, Install Apps, Icon Hiding, Stealth, Data Encoding, Data Decoding, Connectivity Check, Device Information, Camera, Microphone, Access Fine Location, Access Network State, Call Phone, Get Accounts, Get Tasks, Internet, Process Outgoing Calls, Quickboot Poweron, Read Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, Wake Lock, Write External Storage, Write Settings, Read History Bookmarks | android.hardware.camera, android.hardware.camera.autofocus, android.hardware.camera.front, android.hardware.microphone, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.GET_ACCOUNTS, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.QUICKBOOT_POWERON, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SETTINGS, android.permission.WRITE_SMS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.hidden.droidian | c82326cd20dd0ca40dbc0168f4bf3667b53d2cb68d5e394ef10ec2a787c9e384 | 1 | 61 | 1.639 | 63 | 11 | 265 | 24.09 | 1,825 | 1,287 | 8.673 | 14,840 | 40.76 | 10.23 | 3.98 | 2.49 | 53.906 | 31.524 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Dendriod.7z |
42 | RAT:AndroidOS/DroidRAT_JE | DroidRat_JE | App that connects to a server and receives commands for performing several actions, mainly gathering camera footage, device information, GPS, sensor data, call logs, performing phone calls, sending mails, launch specific apps, get and receive SMS, make toasts, vibrate, perform web searches, etc. | Java | 14 | 2021 | ? | RAT | Spyware, RAT, Backdoor, C2, Botnet, Downloader, Billing-Fraud | ? | Remote Data Exfiltration, Bot, Media Player, List Installed Apps, Open Apps, Open URLs, Make Toasts, Compress Files, Decompress Files, Create Files, Modify Files, Read Files, List Files, Search Files, Download Files, Upload Files, Run in Background, Device Information, Send Emails, Access Background Location, Access Coarse Location, Access Fine Location, Call Phone, Camera, Foreground Service, Internet, Read Call Log, Write Call Log, Read External Storage, Write External Storage, Read SMS, Receive SMS, Send SMS, Vibrate | android.permission.ACCESS_BACKGROUND_LOCATION, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_SMS, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.VIBRATE, android.permission.WRITE_CALL_LOG, android.permission.WRITE_EXTERNAL_STORAGE | com.je_chen.droidrat_je | 869925e7f93d002259b800cb18bef3200cca4bd9354c412f5e21bb619780ccf6 | 1 | 61 | 1.639 | 308 | 186 | 678 | 3.65 | 1,838 | 521 | 3.027 | 17,212 | 47.62 | 10.85 | 4.39 | 1.59 | 96.506 | 56.436 | https://github.com/JE-Chen/DroidRat_JE |
43 | RAT:AndroidOS/Elite | Elite | App that can activate and deactivate admin, lock the device, wipe data, get all SMS and send SMS to all phone contacts, and uninstall apps. | Java | 3 | 2021 | ? | RAT | Spyware, Locker, Wiper, Spam, Elevated-Privilege-Abuse, RAT, Backdoor | ? | Run at Startup, Run in Background, Activate Admin, Deactivate Admin, Check Admin, Persistance, Privilege Escalation, Icon Hiding, Stealth, Lock Device, Top App, Hardcoded List of Targeted Apps, Schedule Tasks, Uninstall Apps, Wipe Data, Delete Files, Periodical, Alarm, Bind Device Admin, Get Tasks, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS, Write SMS, Receive Boot Completed, Wake Lock, Write Settings | android.permission.BIND_DEVICE_ADMIN, android.permission.GET_TASKS, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SETTINGS, android.permission.WRITE_SMS | com.elite | 7cd7a7e8aac08798d566906bc1aaeab610333157702e2f84a7ea47b8c9d7b410 | 0 | 60 | 0.000 | 21 | 11 | 49 | 4.45 | 76 | 7 | 1.057 | 662 | 1.56 | 2.96 | 0.53 | 1.86 | 103.643 | 60.610 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/elite |
44 | RAT:AndroidOS/GhostFramework | GhostFramework, Ghost | Ghost Framework is an Android post-exploitation framework that exploits the Android Debug Bridge to remotely access an Android device through an encrypted connection using RSA keys. It maintains a list of connected devices and can interact with each of them. It allows to execute arbitrary commands, download, upload and list files, list running activities, inject keystrokes and button presses, disable and enable wifi, etc. | Python | 3 | 2022 | ? | RAT | Backdoor, Spyware, RAT, C2, Botnet, Downloader, Elevated-Privilege-Abuse | ? | Remote Data Exfiltration, Bot, List Files, Upload Files, Download Files, Root Check, Remote Shell, Root Shell, Open URL, Encrypted Traffic, Running Activities, Screenshot, Battery, Inject Keystrokes, Press Button, Sleep, Enable Wifi, Disable Wifi | - | - | cf71dd009d487a72234c4c91769723de2d834069b3494122a7b57021decb1e2f | 0 | 61 | 0.000 | 28 | 24 | 39 | 1.63 | 208 | 332 | 42.728 | 777 | 1.84 | 3.15 | 0.58 | 2.77 | ? | ? | https://github.com/EntySec/Ghost |
45 | RAT:AndroidOS/Gypte | System-Android-RAT-Trojan, Gypte, Multiverze | Android app which periodically connects to the server to retrieve and send device information. It has several capabilities: hide app icon, get device admin, execute commands with a remote shell (as root if possible), audio recording, screen recording, online audio streaming, get and modify contacts, get clipboard, get and modify call logs, get and send sms, get and modify blocklist, location, upload files encrypted with a password, download and delete files, wifi scan, factory format, etc. | Java | 15 | 2022 | Yes | RAT | Spyware, Backdoor, Botnet, C2, RAT, Downloader, Elevated-Privilege-Abuse, Billing-Fraud | AndroidTrojan | Remote Data Exfiltration, Run in Background, Activate Admin, Privilege Escalation, Factory Format, Check Screen Locked, Connectivity Check, Remote Shell, Periodical Connection With Server, Wifi Scan, Bot, Events, Volume, Brightness, Alert, Icon Hiding, Stealth, List Applications, Device Information, Run at Startup, Logging, Notifications, Lock Device, Clipboard, Screenshot, Data Encoding, List Files, Create Files, Write Files, Delete Files, Download Files, Upload Files, File Encryption, Camera, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Battery State, Bind Accessibility Service, Bind Device Admin, Bind Notification Listener Service, Call Phone, Capture Audio Output, Device Power, Flashlight, Foreground Service, Internet, Modify Audio Settings, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Request Ignore Battery Optimization, Set Time, Set Time Zone, Set Wallpaper, System Alert Window, Vibrate, Wake Lock, Write Calendar, Write Secure Settings, Write Settings, Read History Bookmarks | android.hardware.camera, android.hardware.camera.autofocus, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BATTERY_STATS, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_DEVICE_ADMIN, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.CAPTURE_AUDIO_OUTPUT, android.permission.DEVICE_POWER, android.permission.FLASHLIGHT, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.MODIFY_AUDIO_SETTINGS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_SMS, android.permission.SET_TIME, android.permission.SET_TIME_ZONE, android.permission.SET_WALLPAPER, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_CALENDAR, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | oom.android.system | 1d9996b522b004a2fc9ed2b4a5e7554732fc69748b375378ff363c9fd412ca1e | 13 | 62 | 20.968 | 144 | 38 | 186 | 4.89 | 2,938 | 9,921 | 65.265 | 15,201 | 41.80 | 10.33 | 4.05 | 2.83 | 78.665 | 46.003 | https://github.com/ldzombie/-System-Android-RAT-Trojan |
46 | RAT:AndroidOS/Hawkshaw | Hawkshaw | Malicious app that opens a socket to the server and receives commands to dump logs, take screenshots, screen stream, device information, camera access, notifications, get, forward and send SMS, call logs, get and modify contacts, location, get images, upload files, open url in browser, open apps and make calls. | Kotlin, Java | 9 | 2021 | ? | RAT | Spyware, Botnet, C2, RAT, Billing-Fraud, Backdoor | Hawkshaw | Remote Data Exfiltration, Run at Startup, Run in Background, Periodical Connection With Server, Dump Logs, Bot, Draw Over Other Apps, Make Toasts, Screenshot, Screen Stream, Get Images, Create Files, Upload Files, Notifications, Open URL, Open Apps, Data Encoding, Device Information, Camera, Access Coarse Location, Access Fine Location, Access Network State, Bind Notification Listener Service, Call Phone, Flashlight, Internet, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Send SMS, Receive Boot Completed, Record Audio, System Alert Window, Wake Lock, | android.hardware.camera2.full, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.FLASHLIGHT, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE | me.hawkshaw | 6b2463b819f638bc4ccfc55a20d7c99b694c111e17f886cd19d8b4591a5213f7 | 0 | 60 | 0.000 | 54 | ? | ? | ? | 708 | 313 | 11.087 | 2,823 | 7.14 | 5.28 | 1.35 | ? | ? | ? | https://github.com/saksham2410/Android-RAT---Hawkshaw |
47 | RAT:AndroidOS/L3MONBot | L3MONBot, L3MON, AhMyth | Cloud based remote android management suite, used for gps logging, audio recording, camera access, view contacts, get and send SMS, view call logs, installed apps, clipboard, notifications, wifi scan, file explorer and uploader, and download and install apps. | Java | 15 | 2020 | Yes | RAT | Spyware, C2, Botnet, RAT, Downloader, Billing-Fraud, Backdoor | L3MON, AhMyth | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Icon Hiding, Stealth, List Granted Permissions, Wifi Scan, Clipboard, List Installed Apps, Install Apps, Make Toasts, Download Files, Upload Files, List Files, Notifications, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Bind Notification Listener Service, Camera, Internet, Modify Audio Settings, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Send SMS, Receive Boot Completed, Record Audio, Wake Lock | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.CAMERA, android.permission.INTERNET, android.permission.MODIFY_AUDIO_SETTINGS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.etechd.l3mon | c69e3559a3152eab5062926eff5aa6ff1d6ed8cfd66f10ff0d80bad9bd994160 | 25 | 60 | 41.667 | 128 | 19 | 73 | 3.84 | 655 | 647 | 7.319 | 8,840 | 23.66 | 8.32 | 2.84 | 2.48 | 96.100 | 56.199 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/L3MONBot.zip |
48 | RAT:AndroidOS/LaRAT | LaRAT | App that disguises as an app to interact with geometric figures and show downloaded images, while it takes pictures and uploads them to the server, along with SMS with contact information, device information, and location. It also allows to turn the screen on. If an error occurs, the exception is reported to the server. | Java | 15 | 2015 | ? | RAT | Spyware, Trojan, C2, Botnet, Mailfinder, Billing-Fraud | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Exception Reporting, Periodical Connection With Server, Check Screen Locked, Turn Screen On, Bot, Upload Files, Download Image, Make Toasts, Device Information, Camera, Microphone, Access Fine Location, Access Network State, Get Accounts, Get Tasks, Internet, Quickboot Poweron, Read Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, System Alert Window, Vibrate, Wake Lock, Write External Storage, Write Settings, Read History Bookmarks, C2DM Receive, C2DM Send, C2D_MESSAGE | android.hardware.camera, android.hardware.camera.autofocus, android.hardware.camera.front, android.hardware.microphone, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CAMERA, android.permission.GET_ACCOUNTS, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.QUICKBOOT_POWERON, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SETTINGS, android.permission.WRITE_SMS, com.android.browser.permission.READ_HISTORY_BOOKMARKS, com.c4wd.larat.permission.C2D_MESSAGE, com.google.android.c2dm.permission.RECEIVE, com.google.android.c2dm.permission.SEND | com.c4wd.larat | fb5ed48cf82beb664fb1dcd2bb2e14ac86e202344e08a9ee29bc9137ca927c72 | 0 | 60 | 0.000 | 64 | 25 | 125 | 5.00 | 535 | 171 | 5.520 | 3,098 | 7.87 | 5.47 | 1.44 | 1.70 | 89.310 | 52.228 | https://github.com/c4wrd/LaRat |
49 | RAT:AndroidOS/MassRAT | Mass RAT | App that connects to the server to download files received from it and sends a list of files and folders found in the device. | C# | 7 | 2020 | ? | RAT | Spyware, Botnet, Downloader, RAT, C2, Backdoor | ? | Remote Data Exfiltration, Bot, List Files, Download Files, Run at Startup, Access Network State, Internet, Read External Storage, Write External Storage, Receive Boot Completed | android.permission.ACCESS_NETWORK_STATE, android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_EXTERNAL_STORAGE | com.nayncat | 7f4c23fcf81741a7511f87634f7fcf0401c719a48ddd818981caf276b5913d2d | 0 | 58 | 0.000 | 66 | 26 | 145 | 5.58 | 2,959 | 3,254 | 48.764 | 6,673 | 17.61 | 7.44 | 2.37 | 2.36 | ? | ? | https://github.com/NYAN-x-CAT/Mass-RAT |
50 | RAT:AndroidOS/PhoneMonitor | PhoneMonitor | An app that periodically connects to a server. It records calls and takes pictures and uploads them to the server. The server can specify settings for a unique infected device. It can receive commands via SMS to make the phone vibrate, make calls and SMS, enable Wifi, retrieve GPS location data, call records, SMS messages, contacts and photos. | Java | 11 | 2021 | ? | RAT | Spyware, RAT, Backdoor, C2, Botnet, Billing-Fraud | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Persistance, Stealth, Periodical Connection With Server, Bot, Upload Files, Create Files, Read Files, Delete Files, Rename Files, Record Calls, Enable Wifi, Device Information, Device Status, Access Fine Location, Access Network State, Access Wifi State, Change Wifi State, Call Phone, Camera, Internet, Read Call Log, Read Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, System Alert Window, Vibrate | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.CHANGE_WIFI_STATE, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE | com.monitor.phone.s0ft.phonemonitor | 784ddfd92cb8f5c7ee57b1895ba23beafdee6d2dce2925b682314e5c5d34a92e | 0 | 50 | 0.000 | 57 | 19 | 130 | 6.84 | 513 | 278 | 7.449 | 3,732 | 9.57 | 5.90 | 1.62 | 2.48 | 75.425 | 44.108 | https://github.com/globalpolicy/phonemonitor |
51 | RAT:AndroidOS/RafelRAT | Rafel RAT, Raptor, BlackMart | Ransomware app capable of checking commands from a server using the device ID, binding as admin, locking the device, encrypting files, wiping SD card data, resetting the user password, sending SMS, changing the wallpaper, leaking notifications through discord, exfiltrating contacts, SMS, location, browser history, screenshots and call log to the server, modify call logs, list and upload files, list installed apps, etc. | Java | 12 | 2022 | ? | RAT | Spyware, Screen-Locking-Ransomware, Encryption-Ransomware, RAT, Locker, C2, Botnet, Wiper, Downloader, Elevated-Privilege-Abuse, Billing-Fraud, Backdoor | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Activate Admin, Privilege Escalation, Bot, File Encryption, File Decryption, Wipe Data, Root Check, Voice Message, Data Encoding, Screenshot, List Installed Apps, Reset User Password, Lock Device, Notifications, Alert, Discord based Communication, Make Toasts, Read Files, Create Files, List Files, Delete Files, Upload Files, Download Files, Device Information, Access Coarse Location, Access Fine Location, Access Network State, Bind Device Admin, Bind Job Service, Bind Notification Listener Service, Foreground Service, Internet, Manage External Storage, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read Phone Numbers, Read Phone State, Read SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, Request Ignore Battery Optimizations, Set Wallpaper, Vibrate, Wake Lock, Read History Bookmarks | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.BIND_JOB_SERVICE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.MANAGE_EXTERNAL_STORAGE, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_NUMBERS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_SMS, android.permission.SET_WALLPAPER, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SMS, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.velociraptor.raptor | fddfd4d294e075e992acc94d8a9e823b36af8041fe39e611628be6aa94ea8324 | 0 | 59 | 0.000 | 69 | 16 | 166 | 10.38 | 1,163 | 264 | 4.199 | 6,287 | 16.54 | 7.26 | 2.28 | 1.89 | 71.669 | 41.912 | https://github.com/swagkarna/Rafel-Rat |
52 | RAT:AndroidOS/rdroid | rdroid | This app allows to record audio, get and modify contacts, get device information, get and set volume, check connectivity, terminate calls, set wallpaper, get and set clipboard, open URL, shell commands execution, list installled apps, get call logs, vibrate, mute, uninstall or open apps, get, remove and forge SMS, turn on airplane mode, manage, download and upload files, etc. | Java | 7 | 2018 | ? | RAT | Spyware, C2, Botnet, RAT, Downloader, Backdoor, Mailfinder, Elevated-Privilege-Abuse, Billing-Fraud | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Activate Admin, Privilege Escalation, Bot, Variable Names Obfuscation, Function Names Obfuscation, List Installed Apps, Open Apps, Uninstall Apps, Volume, Mute, Brightness, Connectivity Check, Remote Shell, Clipboard, Open URL, Airplane Mode, Terminate Calls, Create Files, Delete Files, Copy Files, Move Files, Rename Files, Upload Files, Download Files, Media Player, Make Toasts, Device Information, Access Network State, Access Wifi State, Battery Stats, Bluetooth, Bluetooth Admin, Call Phone, Change Wifi State, DUMP, Get Accounts, Get Tasks, Internet, Kill Background Processes, Modify Audio Settings, Modify Phone State, Network, Read Contacts, Write Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Write SMS, Reboot, Receive Boot Completed, Record Audio, Set Wallpaper, Update Device Stats, Vibrate, Write External Storage, Write Secure Settings, Write Settings, C2DM Receive, C2DM Send, C2D_MESSAGE | android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BATTERY_STATS, android.permission.BLUETOOTH, android.permission.BLUETOOTH_ADMIN, android.permission.CALL_PHONE, android.permission.CHANGE_WIFI_STATE, android.permission.DUMP, android.permission.GET_ACCOUNTS, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.KILL_BACKGROUND_PROCESSES, android.permission.MODIFY_AUDIO_SETTINGS, android.permission.MODIFY_PHONE_STATE, android.permission.NETWORK, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.REBOOT, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SET_WALLPAPER, android.permission.UPDATE_DEVICE_STATS, android.permission.VIBRATE, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SECURE_SETTINGS, android.permission.WRITE_SETTINGS, android.permission.WRITE_SMS, com.google.android.c2dm.permission.RECEIVE, com.google.android.c2dm.permission.SEND, madsacsoft.maddev.rdroid.permission.C2D_MESSAGE | madsacsoft.maddev.rdroid | a6223ceeafbbc595ef308841ffbf55ca51fdc0e29fe1dbe71cede51b63423529 | 2 | 60 | 3.333 | 81 | 7 | 162 | 23.14 | 1,078 | 2,202 | 20.635 | 10,671 | 28.83 | 8.97 | 3.21 | 3.04 | 40.376 | 23.612 | https://github.com/m301/rdroid |
53 | RAT:AndroidOS/ReverseShell2 | AndroRat, ReverseShell2 | Tool to generate a malicious app that connects to a server and allows to exfiltrate images and files, execute shell commands, download files sent from the attacker, vibrate, read SMS, get location, clipboard data, device info, audio, video and call logs. It also has the capability of uninstalling itself and restarting the service. | Java, Python | 12 | 2022 | Yes | RAT | Spyware, C2, Botnet, RAT, Backdoor, Downloader | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Persistance, Uninstall Itself, Restart, Icon Hiding, Stealth, Remote Shell, Data Encoding, Upload Files, Download Files, Device Information, Clipboard, Camera, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Bind Job Service, Internet, Read Call Log, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive Boot Completed, Record Audio, System Alert Window, Vibrate, Wake Lock | android.hardware.camera, android.hardware.camera.autofocus, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BIND_JOB_SERVICE, android.permission.CAMERA, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.example.reverseshell2 | 638adcd0a9351133c704117cd38a92fd67584e013dfc301bd0220cbbc63227f9 | 20 | 52 | 38.462 | 52 | 24 | 169 | 7.04 | 404 | 127 | 4.305 | 2,950 | 7.47 | 5.37 | 1.39 | 2.30 | 83.122 | 48.609 | https://github.com/karma9874/AndroRAT |
54 | RAT:AndroidOS/Sketchyappv2 | Sketchyappv2 | Simple android malware/botnet designed to work in the background on an android device connecting to a server and sending files, pictures, audio, etc. and receiving shell commands. | Java | 9 | 2017 | ? | RAT | Botnet, C2, Backdoor, RAT, Spyware, Wiper, Trojan, Downloader, Billing-Fraud, Elevated-Privilege-Abuse | ? | Remote Data Exfiltration, File Integrity Check, Force Reboot, Remote Shell, Root Shell, Periodical Connection With Server, Upload Files, Download Files, Delete Files, Bot, Icon Hiding, Stealth, Screenshot, Persistance, Install as Root, Root Check, Run at Startup, Run in Background, Device Information, Access Fine Location, Access Coarse Location, Access Network State, Call Phone, Camera, Internet, Process Outgoing calls, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, Wake Lock, Write Secure Settings, Write Settings, Read History Bookmarks | android.hardware.camera, android.permission.CAMERA, android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_LOGS, android.permission.READ_PHONE_STATE, android.permission.RECORD_AUDIO, android.permission.WRITE_EXTERNAL_STORAGE | com.twygonik.sketchyappv2 | ccaadb7230edac9acbed0ab4a2e8035f1198b9129098890ed7633f7a75aa6302 | 0 | 56 | 0.000 | 31 | 8 | 67 | 8.38 | 172 | 241 | 15.311 | 1,574 | 3.86 | 4.18 | 0.92 | 2.79 | 65.655 | 38.395 | https://github.com/twaluigi/Sketchyappv2 |
55 | RAT:AndroidOS/TalentRAT | TalentRAT, TalRAT, Assassin | It sends the following information to a server via a socket: device information, SMS, contacts, gps coordinates, calling history, pictures, videos and audio. It also allows to send specific SMS, perform fake screen presses, turn screen on, and play media. | Kotlin, Java | 13 | 2019 | Yes | RAT | Spyware, RAT, C2, Botnet, Clicker, Billing-Fraud, Backdoor | ? | Remote Data Exfiltration, Bot, Check Screen Locked, Click Spoofing, Input Injection, Periodical Connection With Server, Turn Screen On, Device Information, Set Alarm, Media Player, Create Files, Upload Files, Camera, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Bind Accessibility Service, Call Phone, Foreground Service, Internet, Read Call Log, Read Contacts, Read External Storage, Write External Storage, Read Phone Numbers, Read Phone State, Read SMS, Receive SMS, Send SMS, Write SMS, Record Audio, Wake Lock, Write Contacts | android.hardware.camera, android.hardware.camera2.autofocus, android.hardware.camera2.full, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_NUMBERS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.WAKE_LOCK, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SMS | com.hc.calling.callingtransaction | aaf67e8f2da0e41774596eb019bee9427e387fa07111c90ba0af1c0ecca033db | 19 | 62 | 30.645 | 94 | ? | ? | ? | 651 | 443 | 7.593 | 5,834 | 15.29 | 7.05 | 2.17 | ? | ? | ? | https://github.com/honglvt/TalentRAT |
56 | RAT:AndroidOS/TearDroid | TearDroid PHP | Application that runs as admin and gets gps coordinates, notifications, contacts, installed apps, SMS, call logs, running services, lists and uploads files, executes commands in a shell, uninstall apps, change wallpaper, sends SMS and makes calls. | Kotlin | 13 | 2022 | Yes | RAT | Spyware, C2, Botnet, RAT, Backdoor, Elevated-Privilege-Abuse, Billing-Fraud | ? | Run at Startup, Run in Background, Activate Admin, Privilege Escalation, Bot, Periodical Connection With Server, List Installed Apps, Set Alarm, Logging, List Files, Upload Files, Notifications, Running Services, Remote Shell, Make Notifications, Uninstall Apps, Device Information, Access Coarse Location, Access Fine Location, Bind Device Admin, Bind Job Service, Bind Notification Listener Service, Call Phone, Foreground Service, Internet, Query All Packages, Read Call Log, Read Contacts, Read External Storage, Read Phone Numbers, Read Phone State, Read Privileged Phone State, Read SMS, Receive Boot Completed, Send SMS, Set Wallpaper | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.BIND_DEVICE_ADMIN, android.permission.BIND_JOB_SERVICE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.CALL_PHONE, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.QUERY_ALL_PACKAGES, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_NUMBERS, android.permission.READ_PHONE_STATE, android.permission.READ_PRIVILEGED_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.SEND_SMS, android.permission.SET_WALLPAPER | com.example.teardroidv2 | bfa61386f3e89e220cdf5b8bc7e458cc37db70de946aa3f17b8806c1c5e5a3a0 | 7 | 49 | 14.286 | 654 | ? | ? | ? | 338 | 195 | 0.871 | 22,398 | 62.80 | 12.05 | 5.21 | ? | ? | ? | https://github.com/ScRiPt1337/Teardroid-phprat |
57 | Rootkit:AndroidOS/Adore | Adore, AdoreForAndroid | After installing this app on a phone, Adore will be installed into the system as a kernel module, and hook system calls. By using Adore, this app can open ports on the device as backdoor, and also hide any files and ports from users. | Java | 7 | 2014 | Yes | Rootkit | Rootkit, Backdoor | Adore | Hook System Calls, Hide Files, Hide Processes, Hide Ports, Persistance, Open Ports, Privilege Escalation, Mount Filesystems, Unmount Filesystems, Set Debug App, Write Internal Storage, Write External Storage | android.permission.MOUNT_UNMOUNT_FILESYSTEMS, android.permission.SET_DEBUG_APP, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_INTERNAL_STORAGE | com.example.adore | fb7e30bca3004bf87a3490eff7385f19a9459a818bb4b30c23de90bd0f47f391 | 27 | 61 | 44.262 | 18 | 1 | 5 | 5.00 | 81 | 94 | 22.066 | 426 | 0.98 | 2.48 | 0.39 | 8.00 | 120.656 | 70.559 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Rootkit.Adore.7z |
58 | Rootkit:AndroidOS/Android-Rootkit | Android-Rootkit | Android rootkit to intercept system calls to hide and modify files and processes and deploy a reverse shell. | C | 3 | 2015 | ? | Rootkit | Rootkit, Backdoor, Wiper | Phrack Issues 68-6? | Hook System Calls, Reverse Shell, Hide Files, Hide Processes, Write Files, Persistance, Modify Files, Read Files, Create Files, Create Directories, Delete Directories, Open Files, Close Files, Get Directory Entries, Delete Files, Communicate With Processes, Get Real User ID, Load Module, Unload Module | - | - | 52a9a5d332d3508f0f5867b3e3d334160e361049375d949539aac26a1cc65c1f | 0 | 62 | 0.000 | 3 | 1 | 19 | 19.00 | 69 | 13 | 4.483 | 290 | 0.65 | 2.13 | 0.31 | 1.37 | ? | ? | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Rootkit.Self%20Titled%20Project%201.7z |
59 | Rootkit:AndroidOS/Mindtrick | Mindtrick | Android rootkit to intercept system calls to hide modules and deploy a reverse shell when a call from a specific number is received. | C | 1 | 2015 | ? | Rootkit | Rootkit, Backdoor | Mindtrick | Hook System Calls, Reverse Shell, Hide Modules, Persistance, Read Files | - | - | ba1441428622928cd1de637911489e079a3292036ce486a19527f1aeea378543 | 0 | 51 | 0.000 | 1 | 1 | 5 | 5.00 | 16 | 6 | 8.824 | 68 | 0.14 | 1.19 | 0.12 | 1.40 | ? | ? | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Rootkit.Mindtrick.7z |
60 | Rootkit:AndroidOS/Rootkit-Android | Rootkit-Android | Android rootkit to intercept system calls to hide files and processes. | C | 4 | 2018 | ? | Rootkit | Rootkit | Phrack Issues 68-6? | Hook System Calls, Persistance, Hide Files, Hide Processes, File Information, Read Files, Get Directory Entries | - | - | 68be72a6e4d5ee6737a10d219679ea7279402a37881ee4b6d7cda8554fb53252 | 0 | 62 | 0.000 | 4 | 1 | 7 | 7.00 | 210 | 15 | 1.375 | 1,091 | 2.63 | 3.61 | 0.73 | 2.86 | ? | ? | https://github.com/n00d1e5/Rootkit-Android |
61 | Rootkit:AndroidOS/Whitesnow | Whitesnow | Android rootkit to intercept system calls to deploy a reverse shell when a SMS from a specific number is received. | C | 2 | 2013 | ? | Rootkit | Rootkit, Backdoor | Whitesnow | Hook System Calls, Reverse Shell, Open Files, Read Files, Write Files, Close Files, Get Real User ID | - | - | e1804d6745d4e0fad46e6960cf616709642d6e14d923aaf547f0cdb66cf4b928 | 0 | 63 | 0.000 | 2 | 1 | 10 | 10.00 | 49 | 22 | 12.791 | 172 | 0.38 | 1.73 | 0.22 | 2.00 | ? | ? | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Rootkit.Whitesnow.7z |
62 | Scareware:AndroidOS/Card | Card | Application that pretends to steal contacts, emails, whatsapp messages, etc. when in fact it does nothing. | Java | 2 | 2021 | ? | Scareware | Scareware | ? | Variable Names Obfuscation, Function Names Obfuscation, Make Toasts, Timer | ? | com.my.newproject2 | 7315f538454b59f0eb930b078965f3d81e9774942a1ed73f38c6e40da54df5eb | 0 | 60 | 0.000 | 7 | 6 | 98 | 16.33 | 155 | 0 | 0.000 | 785 | 1.86 | 3.17 | 0.59 | 1.17 | 83.842 | 49.030 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/Card |
63 | Spyware:AndroidOS/AndroidMalwareApp | AndroidMalwareApp | Sends incoming SMS to server. | Java | 7 | 2019 | ? | Spyware | Spyware, Botnet | ? | Remote Data Exfiltration, Bot, Run in Background, Internet, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Broadcast WAP PUSH, Send Respond Via Message | android.permission.BROADCAST_SMS, android.permission.BROADCAST_WAP_PUSH, android.permission.INTERNET, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_SMS, android.permission.SEND_RESPOND_VIA_MESSAGE | com.example.malwareapp | 15fb1b59bc71f234ff97ba9be830d24698bfc0a14b8b10de027ce702d37ca6e6 | 0 | 60 | 0.000 | 29 | 9 | 30 | 3.33 | 109 | 78 | 9.166 | 851 | 2.03 | 3.27 | 0.62 | 2.00 | 102.272 | 59.808 | https://github.com/dotzip/AndroidMalwareApp |
64 | Spyware:AndroidOS/Child-Spyzier | Child-Spyzier | Parent Control application that sends screen recordings to a database server and displays incoming messages as notifications. | Java | 8 | 2021 | ? | Spyware | Spyware, Botnet | ? | Remote Data Exfiltration, Bot, Run in Background, Record Screen, Internet, Read External Storage, Write External Storage, Vibrate, Wake Lock | android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.rana_aditya.child | 51b8fbe4d05772a183e7670c2d0f0cfd78c3e6173eedf28001e48ba92e7a69ec | 0 | 60 | 0.000 | 31 | 9 | 51 | 5.67 | 253 | 79 | 6.412 | 1,232 | 2.99 | 3.79 | 0.79 | 1.49 | 90.791 | 53.094 | https://github.com/ranaaditya/Child-SPYZIER-APP |
65 | Spyware:AndroidOS/Dash | Dash | This is an Android Spyware App which uploads user data such as Contacts, Messages, Call log & recordings, Send messages, Photos, Videos, etc. It is intended for parents that want to monitor their children. | Kotlin, Java | 8 | 2022 | ? | Spyware | Spyware, Keylogger, Locker, Botnet, C2, Billing-Fraud | IsTheApp | Remote Data Exfiltration, Privilege Escalation, Lock Device, Icon Hiding, Stealth, Draw Over other Apps, Bot, Run in Background, Run at Startup, Bind Notification Listener Service, Keystrokes Monitoring, Input Capture, WhatsApp, Instagram, Messenger, Upload Files, Camera, Access Fine Location, Access Network State, Bind Accessibility Service, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Write SMS, Call Phone, Capture Audio Output, Internet, Kill Background Processes, Package Usage Stats, Process Outgoing Calls, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Receive Boot Completed, Record Audio, Request Ignore Battery Optimizations, System Alert Window, Vibrate | android.hardware.camera, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.BROADCAST_SMS, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.CAPTURE_AUDIO_OUTPUT, android.permission.INTERNET, android.permission.KILL_BACKGROUND_PROCESSES, android.permission.PACKAGE_USAGE_STATS, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SMS | com.github.muneebwanee.dash | f08163ed4e269805f9be93de0fea715cdf3c4a25a0579b50aed5c54ff7005e86 | 0 | 62 | 0.000 | 343 | 2 | 2 | ? | 2,779 | 621 | 4.164 | 14,912 | 40.97 | 10.25 | 4.00 | 1.00 | 102.893 | ? | https://github.com/muneebwanee/Dash |
66 | Spyware:AndroidOS/DataFactoryReset | DataFactoryReset | Reads the logs of the device. | Java | 1 | 2021 | ? | Spyware | Spyware | ? | Local Data Exfiltration, Read Logs, Variable Names Obfuscation, Function Names Obfuscation, Make Toasts | ? | dumal.net | c4ae598656316bed7186b63e628ef24460931dd942bb83fa4c88ffdfa65d9749 | 0 | 60 | 0.000 | 7 | 7 | 34 | 4.86 | 51 | 0 | 0.000 | 345 | 0.79 | 2.28 | 0.34 | 1.38 | 81.321 | 47.556 | https://github.com/Black-Hell-Team/sppen/tree/main/Mobile/DataFactoryReset |
67 | Spyware:AndroidOS/Dobermann | Dobermann Watcher | Android app to monitor device notifications. It has the ability to update itself by downloading and installing an updated APK. | Java | 9 | 2018 | ? | Spyware | Spyware, Downloader | ? | Local Data Exfiltration, Run at Startup, Run in Background, Download Files, Update App, Install App, Bind Notification Listener Service, Receive Boot Completed, Write External Storage | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_EXTERNAL_STORAGE | com.bioverflow.dobermann.admin, com.bioverflow.dobermann.client | f9751a61487676762c6b7c66c45ffd10942f08561a333f22b63b873e1a8cad75 | 0 | 60 | 0.000 | 48 | 16 | 67 | 4.19 | 241 | 148 | 10.321 | 1,434 | 3.50 | 4.03 | 0.87 | 1.88 | 90.285 | 52.798 | https://github.com/bioverflow/Dobermann |
68 | Spyware:AndroidOS/GetFiles | Apps_GetFiles, Shotdroid | Extracts files from internal and external storage and sends it to a server. | Java | 7 | 2021 | ? | Spyware | Botnet, Spyware, Backdoor | ? | Remote Data Exfiltration, Reverse Connection, Internet, Write External Storage | android.permission.INTERNET, android.permission.WRITE_EXTERNAL_STORAGE | com.getfiles | 033e2951058b0f134980ae9771256e1dfd1cecf404f377e9b7a08cde84b8ef28 | 0 | 61 | 0.000 | 27 | 3 | 16 | 5.33 | 77 | 72 | 9.499 | 758 | 1.79 | 3.12 | 0.57 | 2.00 | 29.923 | 17.499 | https://github.com/kp300/shotdroid/tree/master/Apps_GetFiles |
69 | Spyware:AndroidOS/IsTheApp | IsTheApp | This is an Android Spyware App which uploads user data such as Contacts, Messages, Call log & recordings, Send messages, Photos, Videos, etc. It is intended for parents that want to monitor their children. | Kotlin, Java | 7 | 2020 | ? | Spyware | Spyware, Keylogger, Locker, Botnet, C2, Billing-Fraud | IsTheApp | Remote Data Exfiltration, Privilege Escalation, Lock Device, Icon Hiding, Stealth, Draw Over other Apps, Bot, Run in Background, Run at Startup, Bind Notification Listener Service, Keystrokes Monitoring, Input Capture, WhatsApp, Instagram, Messenger, Upload Files, Camera, Access Fine Location, Access Network State, Bind Accessibility Service, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Write SMS, Call Phone, Capture Audio Output, Internet, Kill Background Processes, Package Usage Stats, Process Outgoing Calls, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Receive Boot Completed, Record Audio, Request Ignore Battery Optimizations, System Alert Window, Vibrate | android.hardware.camera, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.BROADCAST_SMS, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.CAPTURE_AUDIO_OUTPUT, android.permission.INTERNET, android.permission.KILL_BACKGROUND_PROCESSES, android.permission.PACKAGE_USAGE_STATS, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SMS | com.github.midros.istheapp | 2d14d7178886672d838c186ac780f856bac64da7d75173ce5bcb6a21e4efdce5 | 0 | 62 | 0.000 | 342 | ? | ? | ? | 2,775 | 620 | 4.161 | 14,899 | 40.93 | 10.24 | 3.99 | ? | ? | ? | https://github.com/M1Dr05/IsTheApp |
70 | Spyware:AndroidOS/Java-Spyware | Java-spyware | Send all contacts and SMS to a remote database. | Java, C++ | 11 | 2022 | ? | Spyware | Spyware, Botnet | ? | Remote Data Exfiltration, Bot, Data Encryption, Data Decryption, Run at Startup, Bind Notification Listener Service, Internet, Read Contacts, Read External Storage, Read SMS, Receive SMS, Receive Boot Completed | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS | com.test.myapplication | 97db2b8b29d83cc7195ad4e16be2b9ac070bf80392897f5dc4935b7316644815 | 0 | 62 | 0.000 | 39 | 15 | 54 | 3.60 | 318 | 232 | 17.378 | 1,335 | 3.25 | 3.91 | 0.83 | 1.94 | 87.130 | 50.953 | https://github.com/komen205/java-backdoor |
71 | Spyware:AndroidOS/POC-Android-Malware | POC Android Malware. | A simple android malware uploading contacts, call logs and SMS to remote server. | Java | 5 | 2017 | ? | Spyware | Spyware, Botnet | ? | Run at Startup, Bot, Device Information, Access Wifi State, Change Wifi State, Internet, Read Contacts, Read Phone State, Read SMS, Receive Boot Completed, Wake Lock | android.permission.ACCESS_WIFI_STATE, android.permission.CHANGE_WIFI_STATE, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WAKE_LOCK | com.attify.pocmalware | da0270e506f33b8ead69d662dc1307f9f8323ad2c744b5a629a07834fcceb453 | 0 | 59 | 0.000 | 18 | 2 | 23 | 11.50 | 90 | 93 | 21.882 | 425 | 0.98 | 2.48 | 0.39 | 1.96 | 108.719 | 63.578 | https://github.com/LeetCodes/POC-Android-Malware |
72 | Spyware:AndroidOS/Spy-App | Android-Undetectable-Spy-App | It fetches all notifications in real time and Whatsapp and Instagram messages and sends them to a Firebase database. | Java | 8 | 2019 | ? | Spyware | Spyware, Botnet | ? | Remote Data Exfiltration, Run in Background, Bot, Icon Hiding, Stealth, Device Information, WhatsApp, Bind Accessibility Service, Bind Notification Listener Service, Write External Storage | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.WRITE_EXTERNAL_STORAGE | in.spyapp.patanjali.android | e75eb472308f6cf83db5c53db7193d2dee04b4cb57e3f5068369b3fced2897a5 | 0 | 62 | 0.000 | 26 | 8 | 36 | 4.50 | 287 | 250 | 24.631 | 1,015 | 2.44 | 3.51 | 0.70 | 2.86 | 81.426 | 47.618 | https://github.com/patanjalikr13/Android-Undetectable-Spy-App |
73 | Spyware:AndroidOS/SpyAppClient | SpyApp Client | Sends contacts, call logs and recieved and sent SMS to a FireBase database. Can also send SMS. | Java | 9 | 2017 | ? | Spyware | Spyware, Botnet, Billing-Fraud | ? | Remote Data Exfiltration, Bot, Run at Startup, Run in Background, Icon Hiding, Stealth, Access Fine Location, Access Network State, Bind Notification Listener Service, Call Phone, Camera, Internet, Process Outgoing Calls, Read Call Log, Read Contacts, Write Contacts, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Record Audio, System Alert Window, Wake Lock, Write External Storage, Vibrate | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_NOTIFICATION_LISTENER_SERVICE, android.permission.CALL_PHONE, android.permission.CAMERA, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.VIBRATE, android.permission.WAKE_LOCK, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE | com.example.ghazi.sms | ff87b6b288d59585355bb23b6e45ad87f41c90a505a0e1133a7d986db4631db8 | 0 | 58 | 0.000 | 31 | 11 | 151 | 13.73 | 402 | 200 | 10.864 | 1,841 | 4.56 | 4.45 | 1.02 | 1.64 | 89.843 | 52.540 | https://github.com/ghazikr/SpyAppClient |
74 | Spyware:AndroidOS/TrojanDemo | TrojanDemo | Exfiltrates the account database of an app called Renren, containing the account, name, password, uid, last login time, etc. Also has the ability to read data from the sdcard, downloaded files, contacts, call logs, SMS and forge a received SMS. | Java | 8 | 2014 | ? | Spyware | Spyware, Password-Stealing-Ware, Elevated-Privilege-Abuse | ? | Local Data Exfiltration, Stealth, Read Files, Open Files, List Files, Delete Files, File Decryption, Root Check, Credential Theft, Root Shell, Mount Filesystems, Unmount Filesystems, Read Call Log, Write Call Log, Read Contacts, Write Contacts, Read External Storage, Write External Storage, Read SMS | android.permission.MOUNT_UNMOUNT_FILESYSTEMS, android.permission.READ_CALL_LOG, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_SMS, android.permission.WRITE_CALL_LOG, android.permission.WRITE_CONTACTS, android.permission.WRITE_EXTERNAL_STORAGE | com.singuloid.trojandemo | 4a6c7ca64a7efccaf3f1247795f9515def1eda0664c29bd019fd5da120a24a72 | 0 | 60 | 0.000 | 53 | 15 | 88 | 5.87 | 328 | 137 | 6.001 | 2,283 | 5.71 | 4.85 | 1.18 | 2.32 | 48.114 | 28.137 | https://github.com/IceDcap/TrojanDemo |
75 | Spyware:AndroidOS/UpdateService | AndroidRAT, updateService | Connects to the server to check what data to exfiltrate from the following: browser history, contacts, GPS and SMS. | Java | 8 | 2013 | ? | Spyware | Spyware, C2, Botnet | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Device Information, Receive Boot Completed, Access Coarse Location, Access Fine Location, Access GPS, Access Location, Internet, Read Contacts, Read Phone State, Read SMS, Receive Boot Completed, Wake Lock, Write External Storage, Read History Bookmarks | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_GPS, android.permission.ACCESS_LOCATION, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, com.android.browser.permission.READ_HISTORY_BOOKMARKS | com.android.updateService | f448bde781feb754d7727319fe60d900995e64b15ee5c97a0f52cbc869857692 | 19 | 63 | 30.159 | 41 | 12 | 69 | 5.75 | 330 | 315 | 13.410 | 2,349 | 5.88 | 4.90 | 1.20 | 1.99 | 110.394 | 64.558 | https://github.com/ibrahimbalic/androidrat |
76 | Trojan:AndroidOS/FakeFacebook | FakeFacebookAndroid | An example of a possible malware app pretending to be a legitimate Facebook update. | Java | 4 | 2013 | ? | Trojan | Trojan | ? | - | - | com.feigdev.fakefacebook | 9eeb54444b4020b1598ace14e68aca964248895c45bb3455b18ce356d7363f5b | 0 | 60 | 0.000 | 16 | 1 | 2 | 2.00 | 35 | 44 | 25.581 | 172 | 0.38 | 1.73 | 0.22 | 1.00 | 157.382 | 92.036 | https://github.com/emil10001/FakeFacebookAndroid |
77 | Trojan-Backdoor:AndroidOS/DarkSilent | dark.silent | It is a trojan that sends device information and receives back a payload in json format that requests to download a file, with a hash to check its integrity. Lastly, decompresses the file and executes the code found in it. | Java | 1 | 2018 | Yes | Trojan-Backdoor | C2, Botnet, Trojan, Downloader, Dropper, Backdoor | DarkSilent | Remote Data Exfiltration, Bot, Remote Code Execution, Create Files, Delete Files, Copy Files, Download Files, Upload Files, Integrity Check, Data Encoding, Data Decoding, Compress Files, Decompress Files, Device Information, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Download WIthout Notification, Internet, Change Wifi State, System Alert Window, Write External Storage | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.DOWNLOAD_WITHOUT_NOTIFICATION, android.permission.INTERNET, android.permission.CHANGE_WIFI_STATE, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WRITE_EXTERNAL_STORAGE | dark.silent | 37aa787c7a2d0be0521e621e2c04cbc062264bb0e5d71a1e67a79d6a30abe637 | 0 | 60 | 0.000 | 9 | 9 | 29 | 3.22 | 50 | 4 | 0.644 | 621 | 1.46 | 2.88 | 0.50 | 4.00 | 98.914 | 57.844 | https://github.com/cweiske/dark.silent/tree/master/readable/dark/silent |
78 | Trojan-Backdoor:AndroidOS/DarkSilent.Obfuscated | dark.silent | It is an obfuscated trojan that sends device information and receives back a payload in json format that requests to download a file, with a hash to check its integrity. Lastly, decompresses the file and executes the code found in it. | Java | 1 | 2018 | Yes | Trojan-Backdoor | C2, Botnet, Trojan, Downloader, Dropper | DarkSilent | Remote Data Exfiltration, Bot, Variable Names Obfuscation, Function Names Obfuscation, Remote Code Execution, Create Files, Delete Files, Copy Files, Download Files, Upload Files, Integrity Check, Data Encoding, Data Decoding, Compress Files, Decompress Files, Device Information, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Download WIthout Notification, Internet, Change Wifi State, System Alert Window, Write External Storage | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.DOWNLOAD_WITHOUT_NOTIFICATION, android.permission.INTERNET, android.permission.CHANGE_WIFI_STATE, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WRITE_EXTERNAL_STORAGE | dark.silent | 4e5eaa154b657f7912e1a23496b0d4ea22f5906d3329101efafc4df39c444530 | 0 | 62 | 0.000 | 9 | 9 | 29 | 3.22 | 46 | 0 | 0.000 | 625 | 1.47 | 2.89 | 0.51 | 4.00 | 83.049 | 48.567 | https://github.com/cweiske/dark.silent/tree/master/obfuscated/dark/silent |
79 | Trojan-Banker:AndroidOS/Anubis.b | Anubis, BankBot, BankSpy | This sandbox aware malware sends information using encrypted traffic with user and password and receives commands for recording and streaming audio, device information, open URLs, update the app, replace C2 URL (backup servers for redundancy, URLs obtained from Twitter), add a USSD, set a VNC backdoor, activate the admin, load classes at runtime, get GPS coordinates, read, send, intercept, block and delete SMS, log keystrokes, open apps, reset system, proxy HTTP traffic, perform ransomware through file encryption and decrypt them, spoof clicks, get screenshots, list and inject into running processes, get the top app, forward calls, upload files, uninstall itself, disable Play Protect, and more. It also checks the installed apps against a list of hardcoded targeted apps, mainly banking, crypto and online shopping apps to load a similar looking view over the app in an overlay attack to perform a phishing attempt to steal credentials. | Java | 18 | 2019 | Yes | Trojan-Banker | Spyware, C2, Trojan, RAT, Botnet, Keylogger, Clicker, Spam, Encryption-Ransomware, Screen-Locking-Ransomware, Downloader, Loader, Locker, Phishing, Overlay, Proxy, Backdoor, Password-Stealing-Ware, Elevated-Privilege-Abuse, Billing-Fraud | Anubis | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Credential Theft, Sandbox Aware, File Encryption, File Decryption, VNC Backdoor, Encrypted Traffic, RC4 Encryption, Data Encoding, Data Decoding, Accelerometer Sensors, Persistance, Replace C2 URL, Backup Servers, Open URL, Stream Audio, Update App, HTTP forwarding, Volume, Load Classes at Runtime, Send SMS Spam, Hardcoded List of Targeted Apps, Target Banking Apps, Target Crypto Apps, Target Shopping Apps, Overlay, Multiple Languages, Add USSD, Twitter Communication, Disable Play Protect, List Running Processes, Top App, Process Injection, Open Apps, Doze Mode, Device Information, Click Spoofing, Input Injection, Vibrate, Lock Device, Persist on Screen, Draw Over Other Apps, Check Screen Locked, SMS Manager Change, Connectivity Check, Keystrokes Monitoring, Input Capture, Reset System, Alarm, Periodical, Screenshot, Uninstall Itself, Create Files, Read Files, Clear Files, Write Files, Delete Files, Search Files, List Files, Upload Files, Download Files, Logging, Make Notifications, Dialogs, Events, List Installed Apps, List Granted Permissions, Activate Admin, Check Admin, Privilege Escalation, Access Fine Location, Access Network State, Bind Accessibility Service, Broadcast WAP PUSH, Call Phone, Get Tasks, Internet, Package Usage Stats, Read Contacts, Read External Storage, Write External Storage, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Write SMS, Receive Boot Completed, Record Audio, Request Ignore Battery Optimizations, Send Respond Via Message, System Alert Window, Wake Lock | android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BROADCAST_SMS, android.permission.BROADCAST_WAP_PUSH, android.permission.CALL_PHONE, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.PACKAGE_USAGE_STATS, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.RECORD_AUDIO, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_RESPOND_VIA_MESSAGE, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE, android.permission.WRITE_SMS | anubis.bot.myapplication | 92c5e53709075b26be311863bffdbd515ad8916cc4b74176fed69f8b5ff7ceef | 17 | 49 | 34.694 | 814 | 70 | 430 | 6.14 | 17,842 | 11,290 | 7.447 | 151,595 | 467.66 | 25.85 | 18.09 | 3.73 | 69.355 | 40.558 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Anubis.b.7z |
80 | Trojan-Banker:AndroidOS/Cerberus | Cerberus, Cerbuser | This Banking Trojan connects to a C2 server through an encrypted socket and it is able to steal 2FA tokens using SMS and google authenticator, grant permissions to itself, steal emails, get, block, intercept, and send SMS, lock the device, encrypt files and ask for a ransom, overlay a view over a certain list of hardcoded apps and perform phishing attacks, replace the C2 URL if it is down, open URL, download updates and modules, load classes at runtime, disable Play Protect, install and uninstall apps, lock the device, log keystrokes, activate admin, spoof clicks, prevent app removal, get contacts, and more. | Java | 16 | 2020 | Yes | Trojan-Banker | Spyware, C2, Trojan, RAT, Backdoor, Botnet, Encryption-Ransomware, Screen-Locking-Ransomware, Phishing, Overlay, Loader, Locker, Keylogger, Clicker, Downloader, Password-Stealing-Ware, Elevated-Privilege-Abuse, Billing-Fraud | Cerberus | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Credential Theft, 2FA Theft, Process Injection, Overlay, Persist on Screen, Draw Over Other Apps, Hardcoded List of Targeted Apps, Target Banking Apps, Target Card Apps, Target Email Apps, Device Information, Schedule Tasks, Global Actions, Replace C2 URL, Backup Servers, Get Google Authenticator, Play Protect Running Check, Disable Play Protect, Logging, Get Emails, Accelerometer Sensors, Open URL, Add USSD, Grant Permissions, Doze Mode, Load Classes at Runtime, List Installed Apps, Keystrokes Monitoring, Click Monitoring, Input Capture, Volume, Persistance, Update App, File Encryption, File Decryption, RC4 Encryption, Data Encoding, Data Decoding, Lock Device, Make Notifications, Make Toasts, Dialogs, Multiple Languages, Encrypted Traffic, Alarm, Press Button, List Granted Permissions, Activate Admin, Deactivate Admin, Check Admin, Privilege Escalation, Click Spoofing, Input Injection, Create Files, Delete Files, Download Files, Install Apps, Uninstall Apps, Uninstall Itself, Prevent App Removal, Block by Several Back Button Presses, Check Screen Locked, Open Apps, SMS Manager Change, Play Protect Running Check, Disable Play Protect, Logging, Bind Accessibility Service, Bind Device Admin, Broadcast WAP PUSH, Call Phone, Internet, Read Contacts, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Request Delete Packages, Request Ignore Battery Optimizations, Send Respond Via Message, Wake Lock, Install Shortcut | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_DEVICE_ADMIN, android.permission.BROADCAST_SMS, android.permission.BROADCAST_WAP_PUSH, android.permission.CALL_PHONE, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.REQUEST_DELETE_PACKAGES, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_RESPOND_VIA_MESSAGE, android.permission.SEND_SMS, android.permission.WAKE_LOCK, com.android.launcher.permission.INSTALL_SHORTCUT | com.example.mmm, com.example.modulebot | e63f068af816d5163b3b4b1c31c043551e36990b4a9f587059f87329de6784d5 | 7 | 38 | 18.421 | 914 | 42 | 242 | 5.76 | 19,251 | 3,361 | 1.527 | 220,173 | 692.01 | 30.00 | 23.06 | 2.97 | 83.807 | 49.010 | https://github.com/vxunderground/MalwareSourceCode/tree/087e41d5b81376a057d706f9d3586227419f3bf8/Leaks/Android/Android.Cerberus |
81 | Trojan-Banker:AndroidOS/Cerberus.d | Cerberus, Cebruser | This Banking Trojan connects to a C2 server through an encrypted socket and it is able to steal 2FA tokens using SMS and google authenticator, grant permissions to itself, get, block, intercept, and send SMS, lock the device, encrypt files and ask for a ransom, overlay a view over a certain list of hardcoded apps and perform phishing attacks, open URL, replace the C2 URL if it is down, download updates and modules, load classes at runtime, disable Play Protect, install and uninstall apps, lock the device, log keystrokes, activate admin, spoof clicks, prevent app removal, get contacts, and more. | Java | 9 | 2021 | Yes | Trojan-Banker | Spyware, C2, Trojan, RAT, Backdoor, Botnet, Encryption-Ransomware, Screen-Locking-Ransomware, Clicker, Phishing, Overlay, Locker, Downloader, Loader, Keylogger, Password-Stealing-Ware, Elevated-Privilege-Abuse, Billing-Fraud | Cerberus | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Credential Theft, 2FA Theft, Process Injection, Overlay, Persist on Screen, Draw Over Other Apps, Open URL, Replace C2 URL, Backup Servers, Get Google Authenticator, Play Protect Running Check, Disable Play Protect, Global Actions, Schedule Tasks, File Encryption, File Decryption, RC4 Encryption, Alarm, Hardcoded List of Targeted Apps, Target Banking Apps, Target Card Apps, Target Email Apps, Device Information, Create Files, Write Files, Download Files, Update App, Load Classes at Runtime, Data Encoding, Data Decoding, Keystrokes Monitoring, Click Monitoring, Input Capture, Lock Device, Open Apps, Volume, Click Spoofing, Input Injection, Grant Permissions, Encrypted Traffic, Check Screen Locked, Press Button, Uninstall Apps, Uninstall Itself, Prevent App Removal, Activate Admin, Deactivate Admin, Check Admin, Privilege Escalation, Block by Several Back Button Presses, List Granted Permissions, SMS Manager Change, Multiple Languages, Persistance, Doze Mode, Make Toasts, Dialogs, Accelerometer Sensors, Bind Accessibility Service, Bind Device Admin, Broadcast WAP PUSH, Call Phone, Internet, Read Contacts, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Request Delete Packages, Request Ignore Battery Optimizations, Send Respond Via Message, Wake Lock | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_DEVICE_ADMIN, android.permission.BROADCAST_SMS, android.permission.BROADCAST_WAP_PUSH, android.permission.CALL_PHONE, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.REQUEST_DELETE_PACKAGES, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_RESPOND_VIA_MESSAGE, android.permission.SEND_SMS, android.permission.WAKE_LOCK | com.example.mmm | d0434194da86bb491c8fe0e95ad0410df69da215a191fea6c88eec6ab4455849 | 33 | 61 | 54.098 | 152 | 29 | 175 | 6.03 | 1,609 | 416 | 4.616 | 9,012 | 24.14 | 8.38 | 2.88 | 2.78 | 88.844 | 51.956 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Cerberus.d.rar |
82 | Trojan-Banker:AndroidOS/Cerberus.k | Cerberus, Cebruser | This Banking Trojan connects to a C2 server through an encrypted socket (two encryption algorithms) and it is able to steal 2FA tokens using SMS and google authenticator, avoid antivirus software, grant permissions to itself, get, block, intercept, and send SMS, lock the device, encrypt files and ask for a ransom, overlay a view over a certain list of hardcoded apps and perform phishing attacks, open URL, replace the C2 URL if it is down, download updates and modules, load classes at runtime, disable Play Protect, install and uninstall apps, lock the device, log keystrokes, activate admin, spoof clicks, prevent app removal, get contacts, and more. | Java | 16 | 2021 | Yes | Trojan-Banker | Spyware, C2, Trojan, Backdoor, RAT, Botnet, Encryption-Ransomware, Screen-Locking-Ransomware, Clicker, Phishing, Overlay, Locker, Downloader, Loader, Keylogger, Password-Stealing-Ware, Elevated-Privilege-Abuse, Billing-Fraud | Cerberus | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Credential Theft, 2FA Theft, Antivirus Evasion, Open URL, Make Notifications, File Encryption, File Decryption, RC4 Encryption, AES Encryption, Encrypted Traffic, Replace C2 URL, Backup Servers, Global Actions, Data Encoding, Data Decoding, Click Spoofing, Input Injection, Create Files, Write Files, Download Files, Update App, Load Classes at Runtime, Alarm, Grant Permissions, Process Injection, Overlay, Persist on Screen, Draw Over Other Apps, Hardcoded List of Targeted Apps, Target Banking Apps, Target Card Apps, Target Email Apps, List Granted Permissions, Connectivity Check, Change Wifi State, Press Button, Uninstall Apps, Uninstall Itself, Prevent App Removal, Block by Several Back Button Presses, Check Screen Locked, Lock Device, Get Google Authenticator, Play Protect Running Check, Disable Play Protect, Schedule Tasks, Keystrokes Monitoring, Click Monitoring, Input Capture, Volume, Make Toasts, Dialogs, Activate Admin, Deactivate Admin, Check Admin, Privilege Escalation, Device Information, Logging, Persistance, Doze Mode, Multiple Languages, SMS Manager Change, Accelerometer Sensors, Access Network State, Bind Accessibility Service, Bind Device Admin, Bind Job Service, Broadcast WAP PUSH, Call Phone, Internet, Read Contacts, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Request Delete Packages, Request Ignore Battery Optimizations, Send Respond Via Message, Wake Lock, C2DM Receive, C2DM Send, Bind Get Install Referrer Service | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_DEVICE_ADMIN, android.permission.BIND_JOB_SERVICE, android.permission.BROADCAST_SMS, android.permission.BROADCAST_WAP_PUSH, android.permission.CALL_PHONE, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.REQUEST_DELETE_PACKAGES, android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, android.permission.SEND_RESPOND_VIA_MESSAGE, android.permission.SEND_SMS, android.permission.WAKE_LOCK, com.google.android.c2dm.permission.RECEIVE, com.google.android.c2dm.permission.SEND, com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE | com.example.mmm | b366031bf5ef9119f00752653e25752dd96e5494ff92b0695853860e195228c5 | 25 | 52 | 48.077 | 507 | 77 | 387 | 5.03 | 10,745 | 7,305 | 5.598 | 130,485 | 399.53 | 24.35 | 16.41 | 2.05 | 76.576 | 44.781 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.Cerberus.k.7z |
83 | Trojan-Banker:AndroidOS/DefensorId | DefensorId | Banking Trojan with a firebase database that can read text displayed on screen, which allows the app to steal SMS and emails, private keys, 2FA codes, etc. It modifies the screen timeout to have time to perform it's neferious activities, as it does not have capabilities to unlock the device. It receives commands to start and stop the service, perform global actions (back, home, recents, notifications), open apps, list installed apps, perform clicks and swipes, etc. | Java | 14 | 2020 | Yes | Trojan-Banker | Spyware, Botnet, C2, Trojan, Clicker | DefensorId | Remote Data Exfiltration, Run at Startup, Run in Background, Credential Theft, 2FA Theft, Bot, Click Spoofing, Input Injection, Swipe Spoofing, Press Button, Global Actions, Open Apps, Hide Apps, Screen Text Capture, Input Capture, List Installed Apps, Uninstall Apps, Strings Obfuscation, Device Information, Make Toasts, Set Screen Timeout, Alert, Dialogs, Open URL, Access Network State, Bind Accessibility Service, Bind Job Service, Foreground Service, Internet, Request Delete Package, System Alert Window, System Overlay Window, Wake Lock, Write Setting, C2DM Receive, C2DM Send, Bind Get Install Referrer Service | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.BIND_JOB_SERVICE, android.permission.FOREGROUND_SERVICE, android.permission.INTERNET, android.permission.REQUEST_DELETE_PACKAGES, android.permission.SYSTEM_ALERT_WINDOW, android.permission.SYSTEM_OVERLAY_WINDOW, android.permission.WAKE_LOCK, android.permission.WRITE_SETTINGS, com.google.android.c2dm.permission.RECEIVE, com.google.android.c2dm.permission.SEND, com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE | com.client.teach.education | 8fb162835e8f503dfcf2761138a430787003ffe4f307bee1a9e3f76a16761cfa | 6 | 48 | 12.500 | 567 | 7 | 70 | 10.00 | 13,614 | 19,386 | 17.547 | 110,480 | 335.47 | 22.79 | 14.72 | 2.67 | 83.768 | 48.987 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.DefensorId.7z |
84 | Trojan-Banker:AndroidOS/GmBot | GMBot, SlemBunk, Bankosy, Acecard, Slempo and MazarBot | Banking Trojan that targets specific email, card, social media, shopping and banking applications to overlay a window in order to steal credentials, billing and card information. It also sends user, phone, and account information as well as a list of installed apps and crash reports. It also has functionalities to get, send and intercept SMS, forward calls, block and unblock numbers, lock the device, etc. | Java | 11 | 2016 | Yes | Trojan-Banker | Spyware, C2, Trojan, Botnet, Phishing, Overlay, Locker, Password-Stealing-Ware, Elevated-Privilege-Abuse, Billing-Fraud | Slempo | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Credential Theft, Icon Hiding, Stealth, Lock Device, Persistance, Process Injection, Overlay, Draw Over Other Apps, List Running Processes, Top App, List Installed Apps, Hardcoded List of Targeted Apps, Target Banking Apps, Target Card Apps, Target Social Media Apps, Target Email Apps, Target Shopping Apps, Check Card Validity, Check Phone Number Validity, Open URL, Schedule Tasks, Periodical Connection With Server, Add USSD, Blocked Numbers, Block Numbers, Unblock Numbers, Crash Report, Device Information, Ignore Russian Victims, Check Admin, Activate Admin, Privilege Escalation, Calendar, Alarm, Dialog, Volume, Data Encoding, Data Decoding, Access Coarse Location, Access Fine Location, Access Network State, Bind Device Admin, Call Phone, Get Tasks, Internet, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, System Alert Window, Wake Lock | android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.CALL_PHONE, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK | org.slempo.service | 827bb5c81b3992d706a787a330032eb347db8f819d98e3cc53dbdd4374e5c4a3 | 0 | 60 | 0.000 | 417 | 78 | 645 | 8.27 | 5,725 | 8,490 | 6.194 | 137,079 | 420.76 | 24.84 | 16.94 | 1.95 | 97.545 | 57.044 | https://github.com/vxunderground/MalwareSourceCode/blob/main/Android/Android.GmBot.rar |
85 | Trojan-Banker:AndroidOS/MazarBot | GMBot, SlemBunk, Bankosy, Acecard, Slempo and MazarBot | Banking Trojan that targets specific card and shopping applications to overlay a window in order to steal credentials, billing and card information. It also sends user, phone, and account information as well as a list of installed apps and crash reports. It also has functionalities to get, send and intercept SMS, forward calls, block and unblock numbers, wipe the device data, lock the device, etc. | Java | 9 | 2018 | Yes | Trojan-Banker | Spyware, C2, Trojan, Botnet, Phishing, Overlay, Locker, Wiper, Password-Stealing-Ware, Elevated-Privilege-Abuse, Billing-Fraud | Slempo | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Wipe Data, Credential Theft, Persistance, Icon Hiding, Stealth, Lock Device, Process Injection, Overlay, Draw Over Other Apps, List Running Processes, Top App, List Installed Apps, Hardcoded List of Targeted Apps, Target Card Apps, Target Shopping Apps, Check Card Validity, Check Phone Number Validity, Open URL, Schedule Tasks, Periodical Connection With Server, Check Admin, Activate Admin, Privilege Escalation, Device Information, Ignore Russian Victims, Blocked Numbers, Block Numbers, Unblock Numbers, Data Encoding, Data Decoding, Calendar, Dialog, Alarm, Access Network State, Bind Device Admin, Call Phone, Get Tasks, Internet, Read Phone State, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, System Alert Window, Wake Lock | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_DEVICE_ADMIN, android.permission.CALL_PHONE, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.SYSTEM_ALERT_WINDOW, android.permission.WAKE_LOCK | org.slempo.service | 1ac1b4c78517ac300c696e37a6ccdb60605e5dbfc645bb3ec2aa4ddb471df5ae | 22 | 63 | 34.921 | 311 | 31 | 271 | 8.74 | 4,046 | 6,818 | 4.254 | 160,267 | 495.79 | 26.43 | 18.76 | 1.95 | 97.785 | 57.184 | https://github.com/NBG0x1/AndroidMalware-MazarBot |
86 | Trojan-SMS:AndroidOS/MalRecipe | TrojanRecipe, malrecipe | Trojan embedded within a simple recipe book application. The trojan sends a text message from the victim android mobile phone when the recipe book application is run. This message is sent everytime the recipe book application is opened. | Java | 8 | 2017 | ? | Trojan-SMS | Trojan, Billing-Fraud | ? | Send SMS | android.permission.SEND_SMS | com.example.malrecipe | fdd67bfa4f4e891bb224b2d46c987a4632ed0a15a36ad511e82e11a31176c81a | 0 | 60 | 0.000 | 31 | 5 | 17 | 3.40 | 80 | 71 | 13.654 | 520 | 1.21 | 2.69 | 0.45 | 1.76 | 124.665 | 72.904 | https://github.com/shivenchawla/Trojan_Recipe |
87 | Trojan-SMS:AndroidOS/SMSListener | Android SMS Trojan, smslistener | An app that receives the incoming messages and sends them back to a specific phone number. | Java | 1 | 2015 | ? | Trojan-SMS | Trojan, Spyware, Billing-Fraud | ? | Read SMS, Receive SMS, Send SMS | - | com.example.smslistener | 05503e201c34406f2a8632865e866a4b2b2e48aa7acb4807cb36cb02931f98af | 0 | 62 | 0.000 | 4 | 2 | 4 | 2.00 | 17 | 0 | 0.000 | 120 | 0.26 | 1.50 | 0.17 | 2.50 | 101.027 | 59.080 | https://github.com/sushiomsky/ANDROID_SMS_TROJAN |
88 | Trojan-SMS:AndroidOS/YSP | YSP | Sends all received SMS to the attacker via SMS. | Java | 5 | 2016 | ? | Trojan-SMS | Trojan, Spyware, Billing-Fraud | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Icon Hiding, Stealth, Read SMS, Receive SMS, Send SMS, Receive Boot Completed | android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.SEND_SMS | com.example.ysp | acf2a92e7662d4ddfe2b37cbb9d338851a0fb41d5e81d9865213dee199c08334 | 0 | 61 | 0.000 | 23 | 3 | 8 | 2.67 | 68 | 52 | 15.805 | 329 | 0.75 | 2.24 | 0.33 | 1.75 | 75.317 | 44.045 | https://github.com/WSAyan/ysp |
89 | Trojan-Spy:AndroidOS/AndroidSpyCamera | AndroidSpyCamera | Simple app that takes a photo and saves it without notifying the user. | Java | 8 | 2017 | ? | Trojan-Spy | Spyware, Trojan | ? | Local Data Exfiltration, Run in Background, Camera | android.hardware.camera, android.hardware.camera.autofocus, android.permission.CAMERA | com.twoeightnine.root.camera | 34e15cb6ad99fbe28e0a868a2d644bdda6c578b71eda56dc0d087d6be1b07234 | 0 | 62 | 0.000 | 36 | 7 | 79 | 11.29 | 311 | 543 | 41.387 | 1,312 | 3.19 | 3.89 | 0.82 | 1.95 | 74.166 | 43.372 | https://github.com/TwoEightNine/AndroidSpyCamera |
90 | Trojan-Spy:AndroidOS/AndroidTrojan | AndroidTrojan | When a specific command is sent via WeChat, the app replies with an image that contains the contact list hidden inside it. It then deletes the chat log. | Java | 8 | 2017 | ? | Trojan-Spy | Spyware, Trojan, Botnet | ? | Remote Data Exfiltration, Bot, Run at Startup, Run in Background, Draw Over Other Apps, Image Steganography, Unlock Device, Chat Log Deletion, WeChat Event Monitor, Bind Accessibility Service, Disable Keyguard, Get Tasks, Internet, Modify Audio Settings, Mount Filesystems, Unmount Filesystems, Read Contacts, Read External Storage, Receive Boot Completed, Redorder Tasks, Wake Lock, Write External Storage | android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.DISABLE_KEYGUARD, android.permission.GET_TASKS, android.permission.INTERNET, android.permission.MODIFY_AUDIO_SETTINGS, android.permission.MOUNT_UNMOUNT_FILESYSTEMS, android.permission.READ_CONTACTS, android.permission.READ_EXTERNAL_STORAGE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.REORDER_TASKS, android.permission.WAKE_LOCK, android.permission.WRITE_EXTERNAL_STORAGE | com.example.gx.androidtrojan | d36181af63d57f6c9bd4c4b7073f630aeb5e05a10693991f44d96076e9d33eab | 0 | 62 | 0.000 | 28 | 9 | 51 | 5.67 | 170 | 142 | 14.214 | 999 | 2.40 | 3.49 | 0.69 | 2.35 | 71.564 | 41.850 | https://github.com/guaiyt/AndroidTrojan |
91 | Trojan-Spy:AndroidOS/BabyBot | BabyBot, fakeapp | Fake application that hides an Information Botnet Trojan that obtains contact lists, email accounts, SMS and device information. | Kotlin | 8 | 2021 | ? | Trojan-Spy | Botnet, C2, Trojan, Spyware, Mailfinder, Backdoor | ? | Remote Data Exfiltration, Bot, Run in Background, Get Accounts, Internet, Read Contacts, Read SMS, Receive SMS, Write External Storage | android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_SMS, android.permission.RECEIVE_SMS, android.permission.WRITE_EXTERNAL_STORAGE | com.company.app.fakeapp | 3590db1305d204af4820c0c82a143cedf2dbfeec888486306069a691e106f34e | 0 | 59 | 0.000 | 155 | ? | ? | ? | 751 | 217 | 4.817 | 4,505 | 11.66 | 6.36 | 1.83 | ? | ? | ? | https://github.com/FahedHermoza/BabyBot |
92 | Trojan-Spy:AndroidOS/ClearChat | ClearChat | This has a simple login screen, but in the background will extract the victims contacts and emails and will send it to the attacker. | Java | 10 | 2017 | ? | Trojan-Spy | Spyware, Trojan, Botnet, Mailfinder | ? | Remote Data Exfiltration, Bot, Get Accounts, Read Profile, Read Contacts, Internet, Access Network State | android.permission.ACCESS_NETWORK_STATE, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PROFILE | com.divya.mvp.clearchat | 73eaf6e2dd914313f0d7478f95e2c646550b5ffdd64901493ac9c549727da698 | 1 | 60 | 1.667 | 506 | 5 | 33 | 6.60 | 2,148 | 9,869 | 13.591 | 72,614 | 215.91 | 19.27 | 11.20 | 1.91 | 86.612 | 50.650 | https://github.com/nithinmurali/ClearChat |
93 | Trojan-Spy:AndroidOS/ColumbusTrojan | Columbus-trojan, cute trojan, crackapp | Trojan app that hides as a crack for the PowerAmp app but records audio, takes pictures, monitors location and uploads them to an Amazon S3 bucket. The it sends the location of that bucket alongside the account of the user to the server. | Java | 8 | 2016 | ? | Trojan-Spy | Spyware, Trojan, Botnet, Mailfinder | ? | Remote Data Exfiltration, Bot, Read Files, Delete Files, Upload Files, Camera, Access Fine Location, Access Network State, Get Accounts, Internet, Record Audio | android.hardware.camera, android.hardware.camera.front, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.CAMERA, android.permission.GET_ACCOUNTS, android.permission.INTERNET, android.permission.RECORD_AUDIO | co.poweramp.crackapp | b590af54254f063cf8c38165d882694753c6a7e61512426b5a48b86ee6f5f3b7 | 0 | 62 | 0.000 | 38 | 13 | 95 | 7.31 | 213 | 187 | 12.119 | 1,543 | 3.78 | 4.15 | 0.91 | 1.65 | 75.437 | 44.115 | https://github.com/project-columbus/trojan |
94 | Trojan-Spy:AndroidOS/Flashlight | FlashLight | Silently logs and e-mails all incoming/outgoing calls and text messages with contact information while doubling up as a flashlight app. The app also has the ability to hide itself via a keyword using text messages and show the phones location. | Java | 7 | 2021 | ? | Trojan-Spy | Spyware, Trojan, Botnet, Billing-Fraud | ? | Remote Data Exfiltration, Run in Background, Run at Startup, Icon Hiding, Stealth, Make Toasts, Send Email, Device Information, Camera, GPS, Telephony, Touchscreen, Access Coarse Location, Access Fine Location, Flashlight, Internet, Process Outgoing Calls, Read Contacts, Read Phone State, Broadcast SMS, Read SMS, Receive SMS, Send SMS, Receive Boot Completed, Wake Lock | android.hardware.camera, android.hardware.camera.autofocus, android.hardware.camera.flash, android.hardware.location.gps, android.hardware.telephony, android.hardware.touchscreen, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.BROADCAST_SMS, android.permission.CAMERA, android.permission.FLASHLIGHT, android.permission.INTERNET, android.permission.PROCESS_OUTGOING_CALLS, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECEIVE_SMS, android.permission.SEND_SMS, android.permission.WAKE_LOCK | com.flash.light | a38df5a0bb77d4c65c4778e01018662b9f7b8f5f59cab812c7ffba17dcc46a10 | 0 | 60 | 0.000 | 264 | 15 | 144 | 9.60 | 2,649 | 9,351 | 81.597 | 11,460 | 31.07 | 9.23 | 3.37 | 1.72 | 75.314 | 44.043 | https://github.com/amboxer21/FlashLight |
95 | Trojan-Spy:AndroidOS/Jawar | Jawar | As long as the app is installed, it records permanently with the mic and send the audios through TCP. | Java | 8 | 2017 | ? | Trojan-Spy | Spyware, Trojan, Botnet | ? | Remote Data Exfiltration, Bot, Run at Startup, Run in Background, Bind Job Service, Internet, Receive Boot Completed, Record Audio | android.permission.BIND_JOB_SERVICE, android.permission.INTERNET, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.RECORD_AUDIO | eu.davidriff.jawar | 43e22abc511c36bbe718efe744d6798f5df48a6da9e9d8db435a1c3cdcdd43b2 | 0 | 62 | 0.000 | 25 | 6 | 23 | 3.83 | 150 | 82 | 14.187 | 578 | 1.35 | 2.80 | 0.48 | 1.83 | 86.570 | 50.626 | https://github.com/davidriff/Jawar |
96 | Trojan-Spy:AndroidOS/MAD-Spy | MAD Spy | App comprised of services used to repack legitimate apps to add spyware functionalities, mainly keystroke and screenshot exfiltration to a firebase database. | Java | 8 | 2019 | ? | Trojan-Spy | Trojan, Spyware, Keylogger, Botnet | ? | Remote Data Exfiltration, Run at Startup, Run in Background, Bot, Periodical Connection With Server, Create Files, Delete Files, Upload Files, Stealth, Screenshot, Keystrokes Monitoring, Click Monitoring, Input Capture, Access Network State, Bind Accessibility Service, Camera, Internet, Read External Storage, Write External Storage, Receive Boot Completed | android.permission.ACCESS_NETWORK_STATE, android.permission.BIND_ACCESSIBILITY_SERVICE, android.permission.CAMERA, android.permission.INTERNET, android.permission.READ_EXTERNAL_STORAGE, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_EXTERNAL_STORAGE | com.example.cristianturetta.spyware | f03202c2f7cec4db16a174eeed97127b40a164bd995741142a6c20c3711a2563 | 0 | 62 | 0.000 | 32 | 16 | 67 | 4.19 | 221 | 210 | 18.389 | 1,142 | 2.76 | 3.68 | 0.75 | 2.06 | 94.234 | 55.108 | https://github.com/CristianTuretta/MAD-Spy |
97 | Trojan-Spy:AndroidOS/SocietyPoisonerTrojan | SocietyPoisonerTrojan, socialpoisoner | Periodically sends an email containing device information, GPS coordinates, camera pictures, SMS and contacts. | Java | 8 | 2016 | ? | Trojan-Spy | Spyware, Botnet, Trojan | ? | Remote Data Exfiltration, Persistance, Periodical Connection With Server, Run in Background, Bot, Run at Startup, Icon Hiding, Stealth, Device Information, Camera, Access Coarse Location, Access Fine Location, Access Network State, Access Wifi State, Internet, Read Contacts, Read Phone State, Read SMS, Receive Boot Completed, Write External Storage | android.hardware.camera, android.hardware.camera.autofocus, android.permission.ACCESS_COARSE_LOCATION, android.permission.ACCESS_FINE_LOCATION, android.permission.ACCESS_NETWORK_STATE, android.permission.ACCESS_WIFI_STATE, android.permission.CAMERA, android.permission.INTERNET, android.permission.READ_CONTACTS, android.permission.READ_PHONE_STATE, android.permission.READ_SMS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_EXTERNAL_STORAGE | com.cakeman.doctorrabb.socialpoisoner | c6665c079f46476878b006a713dcd8948a4a41933761608fb13b2a6e2dca0cbb | 0 | 62 | 0.000 | 26 | 11 | 43 | 3.91 | 220 | 104 | 12.855 | 809 | 1.92 | 3.20 | 0.60 | 2.02 | 89.723 | 52.470 | https://github.com/KbaHaxor/SocietyPoisonerTrojan |
98 | Trojan-Wiper:AndroidOS/TicTacToe_Malware | TicTacToe_Malware, maltictactoe | This malicious game deletes all the contacts from an android mobile phone when run. Instead of just deleting the contacts once, the malicious tictactoe game runs as a background service everytime the phone reboots and deletes the entire contact list on every reboot. | Java | 8 | 2017 | ? | Trojan-Wiper | Trojan, Wiper | ? | Run in Background, Run at Startup, Read Contacts, Write Contacts, Receive Boot Completed | android.permission.READ_CONTACTS, android.permission.RECEIVE_BOOT_COMPLETED, android.permission.WRITE_CONTACTS | maltictactoe.example.org.maltictactoe | 989fe4b24403e9734ae16025400da3ec4862df583b8602772285f1f366b56403 | 0 | 62 | 0.000 | 27 | 6 | 23 | 3.83 | 108 | 82 | 12.202 | 672 | 1.58 | 2.98 | 0.53 | 2.26 | 105.299 | 61.578 | https://github.com/shivenchawla/TicTacToe_Malware |