Threat actors focus on gaining remote access and control of victims’ devices. For this they either use fake apps or masquerade as legitimate apps. This blog is about the Rusty Droid RAT, which masquerades Chrome browser for Android. The sample under consideration is taken from this tweet. It has the capabilities of tracking financial activities, which includes sending and reading SMS messages and spam messages, and intercepting emails from Gmail accounts. Additionally, it can initiate calls to premium-rate numbers, resulting in financial losses.

In this blog, we will be analyzing “com.catajuhufepusuwo.xenonome” which masquerades as “Chrome” as shown in Fig.1.

Fig.1. Malware masquerades as “Chrome”

Technical Analysis

Once Rusty Droid is installed on the device, it keeps on bringing up the Accessibility Service setting option on the device, as shown in Fig.2, until the user allows this app to have the Accessibility Service enabled which hides the App’s icon from the application drawer. 

Fig.2. Malware requests Accessibility permission 

Rusty Droid initially gathers the following data from the victim’s device: contact list, Get accounts, installed app list, device info before establishing communication to C2 as shown in Fig.3, Fig.4, Fig.5. 

Fig.3. Installed applications list
Fig.4. Get Accounts
Figure.5. Device Details

Once the accessibility permissions are granted, this malicious APK decrypts the malicious payload file called LqL.json from the App’s asset folder as shown in Fig.6, to an executable DEX format and loads the decrypted file. Also, the malicious APK drops settings.xml file which contains the malicious C2 server IP address and bot id as shown in Fig.7.

 Fig.6. Payload in asset folder
Fig.7 Settings.xml file containing C2 IP address

Abusing the Android Accessibility Service, this Trojan acts as a keylogger to steal all the victim’s information on the device; capturing passwords, login credentials, credit card details, and personal messages. This data is then forwarded to cybercriminals, who can exploit it for financial gain or other malicious purposes, leaving victims vulnerable to identity theft and fraud.

Once the malicious payload is loaded, it contacts the malicious C2 server “176.111.174[.]191”  shown in Fig.8 

Fig.8. Malicious C2 Panel

The malware connects to the C2 server and receives encrypted data from the server as shown in Fig.9. The encrypted data is decrypted to receive the list of targeted applications as shown in Fig.10.

Fig.9. Encrypted data from C2
Fig.10. Decrypted targeted applications

Whenever the user tries to interact with the targeted application on the device, the malware captures the keystroke to acquire the login credentials of the targeted app. It has the capacity to steal seed phrases for cryptocurrency wallets, potentially leading to the theft of valuable digital assets

Remote Access Trojans are a popular mobile threat and they are becoming more and more sophisticated in nature. Users are advised to use a reputable security product like K7 Mobile Security and also regularly update and scan your devices with it to stay safe from such threats. Also keep your devices updated and patched against the latest security vulnerabilities.

Targeted Applications


Package NameHashDetection Name
com.catajuhufepusuwo.xenonome3bc49abd12c9f0bc3d4f141e2f2376f3Trojan ( 0058fc031 )
com.urgerdaao.dwwvbcowsfd9bc14fdfc21de632d363a80b4a69b3Trojan ( 0053b5f91 )
com.znhbvvokm.iyjrxjabx2691b6a84986eb619d45af50016a17b7Trojan ( 0053b5f91 )
com.doporuyobore.yikago789f57d8233b4a1b0a7a0ad8f7352ef8Trojan ( 0058ed4d1 )
com.qjkcaktam.wyfyzisfa6b2a2579bdaac9ee796d274bd4ad530fTrojan ( 0053b5f91 )
com.doporuyobore.yikago629f602e284543cc3f355c6c98128574Trojan ( 005572801 )
com.iijyzgtwg.oikklnflwb58a906419cbe4f7d02a44467d2069f8Trojan ( 0053b5f91 )
com.catajuhufepusuwo.xenonomefc876e95f893bf66a5c22f20eceb62ceTrojan ( 0058fc031 )
com.jfufkgjcu.kntchyhax196e0290f33455c95a2ee0064ce4d8d8Trojan ( 0053b5f91 )

C2 mentioned in settings.xml


Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Rusty Droid: Under the Hood of a Dangerous Android RAT”