Dracarys, a newly identified Android spyware, has been used by the Bitter APT group in its cyberespionage operations. The victims are users located in India, Pakistan, New Zealand, and the U.K.

Bitter APT adopts Dracarys

Recently, security firm Cyble has released a technical report on Dracarys malware.
  • The hacker group was spreading the app using a phishing page made to look like a legitimate Signal download portal.
  • For this, they used a fake domain (signalpremium[.]com) to fool the users.
  • As Signal is open-source, the Bitter APT group compiled a version with all of the usual features. However, it added Dracarys to the source code when compiling the app.

Modus operandi

  • The Dracarys malware requests various permissions upon installation such as access to the contact list, SMS, camera, microphone, read/write storage, make calls, and device's precise location.
  • It abuses the Accessibility Service to auto-grant more permissions and stays active in the background even when the app is closed.
  • The malware can collect and transmit different types of data to its C2 server such as contact list on the phone, SMS data, call logs, installed applications list, files, and GPS position.

Meta had a hint earlier

Meta first disclosed the new Android malware in its Q2 2022 adversarial threat report.
  • Meta’s report mentioned the use of laced versions of YouTube, WhatsApp, and Telegram. 
  • In the report by Meta, the researchers further described the malware’s geo-locating, microphone-activation, and data-stealing capabilities as well.

Stay safe

Dracarys attackers are continuously impersonating genuine apps to trap their victims. Users shall stay alert about permissions granted to any application downloaded from third-party sources. It’s better to avoid though and visit only official play stores.
Cyware Publisher