Researchers at K7 Labs have discovered a significant cybersecurity threat aimed at Telegram users, identified as SpyMax. This sophisticated Remote Administration Tool (RAT) operates by masquerading as the legitimate Telegram app, tricking users into downloading and installing it on their Android devices. Unlike typical RATs, SpyMax does not require the device to be rooted, making it easier for attackers to compromise sensitive data. Once installed, SpyMax prompts users to grant Accessibility Service permissions, enabling it to act as a keylogger and collect extensive personal information, including location data.
The malicious “ready.apk” file, distributed via a phishing campaign, initiates the SpyMax infiltration. It captures keystrokes and stores them in log files on the device’s external storage, along with detailed location information. This data is compressed using the gZIPOutputStream API and sent to a Command and Control (C2) server located at IP 154.213.65[.]28 through an obfuscated connection on port 7771. The C2 server then sends back commands and additional payloads, further compromising the device’s security.
To protect against SpyMax and similar threats, users are advised to download apps only from trusted sources like Google Play and the App Store. They should also remain vigilant against phishing attempts and regularly update their devices to patch known vulnerabilities. Awareness of these tactics is crucial for maintaining data security and preventing unauthorized access by malicious actors using tools like SpyMax.
Reference:
