Further details were shared about the recently identified Android spyware variant dubbed ‘Dracarys’ that the Bitter APT (advanced persistent threat) group utilises in their campaigns against several countries, including India, Pakistan, New Zealand, and the UK.
In this year’s Q2, Meta first gave specifics of the Dracarys Android spyware on their adversarial threat report and explained some of its capabilities. Security researchers have then released a technical report, sharing a more profound narrative of this new threat spreading in the wild.
On Meta’s threat report, they confirmed that the Android spyware was found on the fake versions of different social apps, including WhatsApp, YouTube, and Telegram. Meanwhile, the report from cybersecurity researchers showed that Dracarys was also injected into a trojanised version of a messaging application called Signal.
The threat operators attempt to spread the Dracarys Android spyware through a fake Signal messaging app download website.
Based on the analysis, since the legitimate Signal app’s source code is open source, it helped the threat actors to compile an imitated version of it along with working features and functionalities. Nevertheless, the catch is that this malicious version carries the Dracarys malware in its code, aiming to target those that downloaded it.
Users who download the app on their Android devices will be requested permission to access the contact list, text message inbox, camera, microphone, storage, call logs and location. Most users usually agree to these requests since they are the typical access requests for applications obtained from app stores.
The researchers added that Dracarys could raise its access privileges by abusing the Accessibility Service of the device, which will allow the malware to auto-accept additional permissions and continue the app’s activity in the background without user interaction.
There are several data that the Dracarys Android spyware can collect, which include a user’s contact list, SMS data, files, list of installed apps, location, and call logs. Besides stealing data, Dracarys can also take screenshots, record audio, and upload these collected data on a C2 server.
Installing applications only from official app stores, such as the Google Play Store, has been highly recommended. In this way, users could ensure the safety of the apps they download on their devices. It will also be helpful to read the reviews and ratings from other users.
