{ "id": "cce1e682-a0a9-4bf8-a193-9cb8295d2e5b", "created_at": "2026-04-06T00:12:28.109129Z", "updated_at": "2026-04-10T03:38:06.454879Z", "deleted_at": null, "sha1_hash": "36688cbc1d21a67840563687676604ce64f89eb4", "title": "Fake AV Investigation Unearths KevDroid, New Android Malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 300006, "plain_text": "Fake AV Investigation Unearths KevDroid, New Android Malware\r\nBy Paul Rascagneres\r\nPublished: 2018-04-02 · Archived: 2026-04-05 19:09:03 UTC\r\nMonday, April 2, 2018 11:48\r\nThis blog post is authored by Warren Mercer, Paul Rascagneres, Vitor Ventura and with contributions from\r\nJungsoo An.\r\nSummary\r\nSeveral days ago, EST Security published a post concerning a fake antivirus\r\nmalware targeting the Android mobile platform. In the Korean media, it was\r\nmentioned that there could be a link between this Android malware and Group\r\n123. Talos decided to investigate this malware. And due to our reporting and\r\nhistory of following of Group 123, we discovered some interesting elements.\r\nTalos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same\r\ncapabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history)\r\nand record the victim's phone calls. One variant uses a known Android exploit (CVE-2015-3636) in order to get\r\nroot access on the compromised Android device. The data of both variants was sent using an HTTP POST to a\r\nunique command and control (C2) server. The ability to record calls was implemented based on an open-source\r\nproject available on GitHub. We named this malware \"KevDroid.\"\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 1 of 8\n\nAnother RAT (this time targeting Windows) was identified hosted on the command and control server in use by\r\nKevDroid. This malware specifically uses the PubNub platform as its C2 server. PubNub is a global data stream\r\nnetwork (DSN). The attackers use the PubNub API in order to publish orders to the compromised systems. This\r\nbehaviour explains why we named it \"PubNubRAT.\"\r\nAt this time, we cannot identify a link between these samples and the Group 123 sample. We only identified a\r\nbundle of tactics, techniques and procedural elements that were too weak to identify a real link.\r\nAndroid Malware: KevDroid  \r\nVariant 1\r\nThe first variant of KevDroid is the smaller sample, and is similar to the sample described by EST\r\nSecurity. We chose to call it KevDroid due to the Android author tag reading as \"Kevin,\" and\r\nwith some other artifacts referencing the name \"Kevin.\" It is based on the aykuttasil project. The\r\npurpose of this project it to provide a library to record phone calls made on Android devices. The\r\nattacker kept the original name in the malware:\r\nThe purpose of the application is to steal information stored on the device. Here is the list of stolen information:\r\nInstalled applications\r\nPhone number\r\nPhone Unique ID\r\nLocation (the application tries to switch on the GPS), this information is collected every 10 seconds, which\r\nis aggressive for this kind of spying tool\r\nStored contacts information (name, phone numbers, emails, photos, etc.)\r\nStored SMS\r\nCall logs\r\nStored emails\r\nPhotos\r\nRecording calls\r\nIf an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could\r\nresult in a multitude of issues for the victim. The social aspect of a mobile device results in a large amount of data\r\nresiding on the device. This can be sensitive data, such as photographs, passwords, banking information or social\r\nengineering. This could result in the leakage of data, which could lead to a number of things, such as the\r\nkidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 2 of 8\n\nfactor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via\r\nemails/texts. Many users access their corporate email via mobile devices. This could result in cyber espionage\r\nbeing a potential outcome for KevDroid.\r\nThe APK sample was identified at the following URL during March 2018:\r\nhxxp://cgalim[.]com/admin/hr/1.apk\r\nThe stealer exfiltrates data on the same server at the following URL:\r\nThe APK package was named \"Update,\" and the installation icon is the Droid logo:\r\nVariant 2\r\nThe second variant of KevDroid is larger than the previous sample we discovered, and was\r\nlocated in the same URL in February 2018. This sample was named \"PU,\" and the icon logo was\r\nempty. The architecture of the malware is a little bit different than the previous version. For\r\nexample, this variant uses SQLite databases to store data.\r\nThe variant contains the same features than the previous version with some additional:\r\nCamera recording\r\nAudio recording\r\nWeb history stealing\r\nFile stealing\r\nRoot access on the device\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 3 of 8\n\nThe last feature is performed by an ELF file embedded in the APK. The file is named \"POC\" and supports 32-bit\r\nversions of operating systems. It attempts to exploit the device using CVE-2015-3636 with the code available on\r\nGitHub. The purpose is to obtain the root permission on the compromised device. By obtaining root permissions\r\non the device, the malware has effectively obtained higher privileges, allowing it to perform more in-depth actions\r\n(such as getting files from other applications). This is a common technique that malware often uses to ensure it\r\ncan run without user interaction or a prompt, and is used to remain stealthy.\r\nThe C2 server is the same as previously mentioned:\r\nWindows Malware: PubNubRAT\r\nMalware Samples\r\nWe discovered a Windows binary on the server at the following URL:\r\nhxxp://cgalim[.]com/admin/hr/hr.doc\r\nThe purpose of this binary is to download additional files:\r\nhxxp://ebsmpi[.]com/ipin/360/Ant_4.5.exe\r\nhxxp://ebsmpi[.]com/ipin/360/Ant_3.5.exe\r\nhxxp://ebsmpi[.]com/ipin/360/desktops.ini\r\nWe found an additional sample that downloads the same files on our original server:\r\nhxxp://cgalim[.]com/admin/1211me/Ant_4.5.exe\r\nhxxp://cgalim[.]com/admin/1211me/Ant_3.5.exe\r\nhxxp://cgalim[.]com/admin/1211me/desktops.ini\r\nThe downloaded executables are RATs developed in .NET, and the desktops.ini file is the configuration file\r\n(XOR'd with key 0x17). The malware uses a public service as C2 servers. It also uses PubNub. Here is the\r\ndecoded configuration containing the token of the attacker and the URL:\r\nps.pndsn.com\r\nProcess\r\nsub-c-2199cb5c-f20a-11e7-acf8-26f7716e5467\r\npub-c-cdb76f31-abb8-4c47-aed3-d8c1de7bf5e6\r\nsec-c-ZjM3MTY1ZWMtNjg4OS00MzJjLTlkZjgtZGQzN2EzOGI4MDU1\r\ncip-c-Awwqe1wwas12312w\r\n9919\r\nThe attackers use the PubNub API in order to send orders to the infected systems. Here is the commands list:\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 4 of 8\n\nThe malware is able to steal files, download files, execute commands, kill processes and create screenshots (stored\r\nin the tmp0120.ini file).\r\nUsing legitimate services is always challenging for defenders. It's hard to identify malicious communications\r\nhidden in legitimate network flows (especially if the requests use encryption via HTTPS).\r\nWe can notice some fun content within the PubNubRAT sample:\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 5 of 8\n\nHaizi means child in Chinese. This string obviously did not mean that the malware was developed by Chinese\r\nauthor. However, it's a message sent to the analyst. As we mentioned during our Olympic Destroyer post, false\r\nflags can be used by attackers to manipulate analysts. This kind of single string can be this kind of flag.\r\nInfection Vector: Bitcoin \u0026 China\r\nThe first executable was downloaded and executed from a RTF document named bitcoin-trans.doc:\r\nThe RTF document contains an embedded Microsoft Equation object. This object exploits the vulnerability CVE-2017-11882 in order to download and execute the hr.doc file mentioned previously.\r\nThe document is written in Korean. It describes the quantity of Bitcoin owned by China and explains how China\r\nhandles Bitcoin. It mentions the current status of Bitcoin transactions and some insights on the value of Bitcoin.\r\nConclusion\r\nOriginally, Talos took the time to investigate this malware due to its potential link\r\nto Group 123. As discovered, we do not have a strong link between the two\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 6 of 8\n\nmalware samples and Group 123. The TTP overlaps are tenuous — using public\r\ncloud infrastructure as a C2 server is something other malware has used before as\r\na technique, not just Group 123. Additionally, the C2 server is hosted in Korea,\r\nand this malware has been known to target Korean users. However, this\r\ninformation cannot lead us to a strong link. In light of this, we did discover some\r\nnew Android-based malware and some Windows-based malware attempting to\r\nsteal information and control infected systems. These samples are not documented\r\nand not massively used, but we hope than this post will highlight campaigns\r\nperformed by this actor.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 7 of 8\n\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nKevDroid:\r\nURL: hxxp://cgalim[.]com/admin/hr/1.apk\r\nVariant 1: f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a\r\nVariant 2: c015292aab1d41acd0674c98cd8e91379c1a645c31da24f8d017722d9b942235\r\nC2: hxxp://cgalim[.]com/admin/hr/pu/pu.php\r\nPubNubRAT:\r\nURL:\r\nhxxp://cgalim[.]com/admin/hr/hr.doc\r\nhxxp://ebsmpi[.]com/ipin/360/Ant_4.5.exe\r\nhxxp://ebsmpi[.]com/ipin/360/Ant_3.5.exe\r\nhxxp://ebsmpi[.]com/ipin/360/desktops.ini\r\nSample:\r\ndd3f5ad44a80e7872e826869d270cbd5c0dc4efafff6c958bd1350ce1db973eb: hr.doc\r\n7a82cc0330e8974545d5a8cdca95b8d87250224aabc6a4f75a08dddaebb79670: hr.doc\r\n90abfe3e4f21b5a16cd1ff3c485f079f73f5e7bbaca816917204858bb08007fc: Ant_4.5.exe\r\nd24d1b667829db9871080b97516dbe2e93ffaa3ac6fb0a4050a7616016c10d32: Ant_3.5.exe\r\n86887ce368d9a3e7fdf9aa62418cd68daeea62269d17afb059ab64201047e378:Servlet.exe (hr.doc variant)\r\n9ff7240c77fca939cde0eb1ffe7f6425c4dcfde2cdd1027dde6d07386c17f878: Ant_3.5.exe\r\n4cb16189f52a428a49916a8b533fdebf0fe95970b4066ce235777d3e95bff95b: 360TS_Setup_Mini.exe\r\nRTF: 6b1f2dfe805fa0e27139c5a4840042599262dbbf4511a118d3fba3d4ec35f2d7\r\nSource: https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nhttps://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html" ], "report_names": [ "fake-av-investigation-unearths-kevdroid.html" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434348, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/36688cbc1d21a67840563687676604ce64f89eb4.pdf", "text": "https://archive.orkl.eu/36688cbc1d21a67840563687676604ce64f89eb4.txt", "img": "https://archive.orkl.eu/36688cbc1d21a67840563687676604ce64f89eb4.jpg" } }