{
	"id": "3d0efc77-29db-4fba-b7d7-833d92db111a",
	"created_at": "2026-04-06T00:16:41.112332Z",
	"updated_at": "2026-04-10T13:11:31.350362Z",
	"deleted_at": null,
	"sha1_hash": "4c3a87056018080d4b258ed908334803f8abc3d4",
	"title": "DAAM Botnet Spread via Trojanized Android Apps",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2644620,
	"plain_text": "DAAM Botnet Spread via Trojanized Android Apps\r\nBy cybleinc\r\nPublished: 2023-04-20 · Archived: 2026-04-05 22:44:21 UTC\r\nCyble Research \u0026 Intelligence labs analyzes Trojanized Android applications being used to distribute DAAM Android\r\nbotnet.\r\nBotnet With Ransomware And Data Theft Capabilities\r\nIn recent years, the widespread use of Android devices has made them a prime target for cybercriminals. Android botnet is a\r\ncommon malware type that cybercriminals use to gain access to targeted devices. These devices can be controlled remotely\r\nto carry out various malicious activities.\r\nCyble Research \u0026 Intelligence Labs (CRIL) recently analyzed an Android Botnet shared by MalwareHunterTeam. The\r\nmentioned malicious sample is the Trojanized version of the Psiphon application and identified as DAAM Android Botnet,\r\nwhich provides below features:\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nKeylogger\r\nRansomware\r\nVOIP call recordings\r\nExecuting code at runtime\r\nCollects browser history\r\nRecords incoming calls\r\nSteals PII data\r\nOpens phishing URL\r\nCapture photos\r\nSteal clipboard data\r\nSwitch WiFi and Data status\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 1 of 12\n\nThe DAAM Android botnet provides an APK binding service wherein a Threat Actor (TA) can bind malicious code with a\r\nlegitimate app. CRIL analyzed an APK file named PsiphonAndroid.s.apk with the hash value of\r\n“184356d900a545a2d545ab96fa6dd7b46f881a1a80ed134db1c65225e8fa902b” which contains DAAM botnet malicious\r\ncode bonded with a legitimate Psiphon application.\r\nThe malware connects to the Command and Control (C\u0026C) server hxxp://192.99.251[.]51:3000, and the figure below\r\nshows the DAAM Android botnet admin panel.\r\nFigure 1 – Admin panel of DAAM Android botnet\r\nThe C\u0026C server is also present in various malicious applications, some of which were initially identified in August 2021.\r\nThis indicates that the DAAM Android botnet has been operational since 2021 and constantly targeting Android users.\r\nFigure 2 – C\u0026C server present in several malicious applications\r\nTechnical Analysis \r\nAPK Metadata Information  \r\nApp Name: Psiphon\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 2 of 12\n\nPackage Name: com.psiphon3\r\nSHA256 Hash: 184356d900a545a2d545ab96fa6dd7b46f881a1a80ed134db1c65225e8fa902b\r\nThe figure below shows the metadata information of the application. \r\nFigure 3 – Application metadata information\r\nInitially, the malware establishes a socket connection and communicates with the C\u0026C server at\r\nhxxp://192.99.251[.]51:3000 to obtain commands for carrying out a range of malicious activities, as depicted in the figure\r\nbelow.\r\nFigure 4 – Socket connection\r\nFigure 5 – Malware receiving commands\r\nThe DAAM Android botnet provides various command operations, which are explained below:\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 3 of 12\n\nKeylogger:\r\nMalware uses the Accessibility Service to monitor users’ activity. It saves the captured keystrokes along with the\r\napplication’s package name into a database, as shown in the figure below.\r\nFigure 6 – Keylogger activity\r\nRansomware:\r\nThe DAAM botnet provides a Ransomware module that leverages the AES algorithm to encrypt and decrypt files on the\r\ninfected device. It retrieves the password required for encryption and decryption from the C\u0026C server. The malware also\r\nsaves a ransom note in the “readme_now.txt” file.\r\nThe Ransomware activity is illustrated in the figure below.\r\nFigure 7 – Ransomware encryption and decryption module\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 4 of 12\n\nFigure 8 – Receiving password from C\u0026C server and writes ransom message into a readme_now.txt file\r\nVOIP call Recordings:\r\nThe DAAM botnet exploits the Accessibility service to monitor the components of social media applications such as\r\nWhatsApp, Skype, Telegram, and many others responsible for VOIP calls. If the user interacts with the below-mentioned\r\ncomponents, malware initiates audio recording.\r\nBelow is the list of components targeted by the DAAM botnet:\r\ncom.whatsapp.VoipActivity\r\ncom.whatsapp.VoipActivityV2\r\ncom.whatsapp.voipcalling.VoipActivityV2\r\ncom.bbm.ui.voice.activities.InCallActivity\r\ncom.bbm.ui.voice.activities.InCallActivityNew\r\ncom.bbm.ui.voice.activities.IncomingCallActivityNew\r\ncom.turkcell.bip.voip.call.InCallActivity\r\ncom.turkcell.bip.voip.call.IncomingCallActivity\r\nim.thebot.messenger.activity.chat.AudioActivity\r\nim.thebot.messenger.activity.chat.VideoActivity\r\nim.thebot.messenger.voip.ui.AudioCallActivity\r\nim.thebot.messenger.voip.ui.VideoCallActivity\r\ncom.facebook.mlite.rtc.view.CallActivity\r\ncom.facebook.rtc.activities.WebrtcIncallActivity\r\ncom.facebook.rtc.activities.WebrtcIncallFragmentHostActivity\r\ncom.google. Android.apps.hangouts.hangout.HangoutActivity\r\ncom.google. Android.apps.hangouts.elane.CallActivity\r\ncom.bsb.hike.voip.view.VideoVoiceActivity\r\ncom.imo.android.imoim.av.ui.AudioActivity\r\ncom.imo.android.imoim.av.ui.AVActivity\r\ncom.kakao.talk.vox.activity.VoxFaceTalkActivity\r\ncom.kakao.talk.vox.activity.VoxVoiceTalkActivity\r\ncom.linecorp.linelite.ui.android.voip.FreeCallScreenActivity\r\njp.naver.line.android.freecall.FreeCallActivity\r\ncom.linecorp.voip.ui.freecall.FreeCallActivity\r\ncom.linecorp.voip.ui.base.VoIPServiceActivity\r\nru.mail.instantmessanger.flat.voip.CallActivity\r\nru.mail.instantmessanger.flat.voip.IncallActivity_\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 5 of 12\n\norg.telegram.ui.VoIPActivity\r\ncom.microsoft.office.sfb.activity.call.IncomingCallActivity\r\ncom.microsoft.office.sfb.activity.call.CallActivity\r\ncom.skype.m2.views.Call\r\ncom.skype.m2.views.CallScreen\r\ncom.skype.android.app.calling.PreCallActivity\r\ncom.skype.android.app.calling.CallActivity\r\ncom.Slack.ui.CallActivity\r\ncom.sgiggle.call_base.CallActivity\r\ncom.enflick. Android.TextNow.activities.DialerActivity\r\ncom.viber.voip.phone.PhoneFragmentActivity\r\ncom.vonage.TimeToCall.Activities.InCall\r\ncom.vonage.TimeToCall.Activities.CallingIntermediate\r\ncom.tencent.mm.plugin.voip.ui.VideoActivity\r\nFigure 9 – Starting VOIP call recording\r\nCollecting Browser History:\r\nThe malware can gather bookmarks and browsing history stored on the target device and send them to the C\u0026C server, as\r\ndepicted below.\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 6 of 12\n\nFigure 10 – Stealing Browser history\r\nExecuting code at runtime:\r\nThe malware can execute the code at runtime using DexClassLoader by receiving the method name, class name, and URL\r\nfrom the C\u0026C server. The malware communicates with the received URL to fetch parameters of the targeted method, which\r\nis responsible for executing other malicious activities. The dynamic code runner module is illustrated in the below image.\r\nFigure 11 – Running dynamic code\r\nStealing PII data:\r\nIn addition to the functionalities mentioned above, the DAAM botnet gathers Personally Identifiable Information (PII) from\r\nthe infected device, including but not limited to contacts, SMS messages, call logs, files, basic device details, and location\r\ndata.\r\nFigure 12 – Collecting call logs\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 7 of 12\n\nFigure 13 – Collecting basic device information\r\nFigure 14 – Collecting SMSs\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 8 of 12\n\nFigure 15 – Stealing location\r\nOpening URL:\r\nMalware can receive a phishing URL from a C\u0026C server, then load it into a WebView component to steal the victim’s login\r\ninformation. The TA can use this feature to launch a social engineering attack by sending a phishing URL of their choice\r\nfrom the C\u0026C panel.\r\nFigure 16 – Opening Phishing URL\r\nCollecting Screenshots:\r\nThe code in the below image is used by malware to steal screenshots saved at the external Storage path\r\n“/Pictures/Screenshots” of an infected device and sends them to the C\u0026C server.\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 9 of 12\n\nFigure 17 – Collecting screenshots\r\nCapturing Photos:\r\nAdditionally, the malware captures pictures by opening the camera of the victim’s device upon receiving a command from\r\nthe admin panel and subsequently sending pictures to the C\u0026C server.\r\nFigure 18 – Capturing photos\r\nIn addition to the main functionalities mentioned earlier, the DAAM botnet can carry out additional tasks such as switching\r\nWiFi and data, showing random toast, and collecting clipboard data.\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 10 of 12\n\nConclusion\r\nMalware authors often leverage genuine applications to distribute malicious code to avoid suspicion. DAAM Android botnet\r\nalso provides a similar APK binding service where TA can bind malicious code with a legitimate APK to appear genuine.\r\nDetailed analysis of the DAAM Android botnet indicates that it offers several intriguing capabilities, such as Ransomware,\r\nruntime code execution, and Keylogger, among others. Although relatively fewer samples have been identified so far, based\r\non the malware’s capability, it may target a wide number of users in the coming days.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store.\r\nUse a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and\r\nmobile devices.\r\nNever share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device wherever\r\npossible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1476 Deliver Malicious App via Other Means.\r\nInitial Access T1444 Masquerade as a Legitimate Application\r\nCollection T1433 Access Call Log\r\nCollection T1432 Access Contact List\r\nCollection T1429 Capture Audio\r\nCollection T1512 Capture Camera\r\nCollection T1414 Capture Clipboard Data\r\nDiscovery T1418 Application Discovery\r\nPersistence T1402 Broadcast Receivers\r\nCollection T1412 Capture SMS Messages\r\nImpact T1471 Data Encrypted for Impact\r\nCollection T1533 Data from Local System\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 11 of 12\n\nCollection T1417 Input Capture\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n0fdfbf20e59b28181801274ad23b951106c6f7a516eb914efd427b6617630f30\r\nSHA256\r\n \r\nCurrency_Pro_v3.2.6.apk\r\nf3b135555ae731b5499502f3b69724944ab367d5 SHA1   Currency_Pro_v3.2.6.apk\r\nee6aec48e19191ba6efc4c65ff45a88e MD5 Currency_Pro_v3.2.6.apk\r\nhxxp://192.99.251[.]51:3000/socket.io/ URL C\u0026C server\r\n184356d900a545a2d545ab96fa6dd7b46f881a1a80ed134db1c65225e8fa902b\r\nSHA256\r\n \r\nPsiphonAndroid.s.apk\r\nbc826967c90acc08f1f70aa018f5d13f31521b92 SHA1   PsiphonAndroid.s.apk\r\n99580a341b486a2f8b177f20dc6f782e MD5 PsiphonAndroid.s.apk\r\n37d4c5a0ea070fe0a1a2703914bf442b4285658b31d220f974adcf953b041e11\r\nSHA256\r\n \r\nBoulder.s.apk\r\n67a3def7ad736df94c8c50947f785c0926142b69 SHA1   Boulder.s.apk\r\n49cfc64d9f0355fadc93679a86e92982 MD5 Boulder.s.apk\r\nSource: https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nhttps://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2023/04/20/daam-android-botnet-being-distributed-through-trojanized-applications/"
	],
	"report_names": [
		"daam-android-botnet-being-distributed-through-trojanized-applications"
	],
	"threat_actors": [],
	"ts_created_at": 1775434601,
	"ts_updated_at": 1775826691,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4c3a87056018080d4b258ed908334803f8abc3d4.pdf",
		"text": "https://archive.orkl.eu/4c3a87056018080d4b258ed908334803f8abc3d4.txt",
		"img": "https://archive.orkl.eu/4c3a87056018080d4b258ed908334803f8abc3d4.jpg"
	}
}