{
	"id": "ad69fab4-fa6e-4977-b1cc-f0a265738673",
	"created_at": "2026-04-06T00:14:36.987104Z",
	"updated_at": "2026-04-10T03:19:57.761263Z",
	"deleted_at": null,
	"sha1_hash": "70d27e0618c1e3860ce441d8978bdf8d82791805",
	"title": "Oscorp evolves into UBEL: an advanced Android malware spreading across the globe",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 7069132,
	"plain_text": "Oscorp evolves into UBEL: an advanced Android malware\r\nspreading across the globe\r\nBy Federico Valentini, Francesco Iubatti\r\nArchived: 2026-04-05 16:36:14 UTC\r\nKey Points\r\nBack in February 2021 a smishing campaign was detected distributing Oscorp, a new Android malware at\r\nthat time. The main goal of that campaign was stealing funds from the victims' home banking service, by\r\ncombining the usage of phishing kits and vishing calls\r\nOscorp has been developed to attack multiple financial targets (both banks and crypto currency apps) and\r\nits main features are the following:\r\no   Ability to send/intercept/delete SMS and make phone calls\r\no   Ability to perform Overlay Attacks for more than 150 mobile applications\r\no   VNC feature through WebRTC protocol and Android Accessibility Services\r\no   Enabling key logging functionalities\r\nOnce Oscorp is successfully installed in the victim's device, it enables Threat Actors (TAs) to remotely\r\nconnect to it via WebRTC protocol. In some cases, we found a specific Threat Actor (TA) leveraging on\r\nfake bank operators to persuade victims over the phone while performing unauthorized bank transfers in\r\nthe background.\r\nAfter an apparent stop of the initial activities, during May 2021, new Oscorp samples have been found in\r\nthe wild, with some minor changes; at the same time, on multiple hacking forums, a new Android botnet\r\nknown as UBEL started being promoted.\r\nWe found multiple indicators linking Oscorp and UBEL to the same malicious codebase, suggesting a fork\r\nof the same original project or just a rebrand by other affiliates, as its source-code appears to be shared\r\nbetween multiple TAs.\r\nOverview\r\nAt the end of January 2021, a new Android malware started appearing and it was dubbed as Oscorp [1]. During\r\nFebruary 2021, a new version of Oscorp was detected by Cleafy systems and after a couple of hours a first\r\nincident related to this threat was reported to us.\r\nThanks to the data retrieved plus an in-depth technical analysis of the distributed Oscorp samples we were\r\nable to reconstruct the detailed chain of events and share all the methodologies used by a specific TA for\r\nconducting bank frauds via ATO (Account Takeover fraud).\r\nThe following list include some of the high-level indicators we extracted in our recent analysis:\r\nEU retail banks appear to be among the targets of this specific TA, and multiple incidents have already\r\nbeen confirmed. Since the list of targets also includes banks and financial institutions from US, JP, AU (see\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 1 of 16\n\nthe affected countries in the Appendix 4) we don’t exclude that other local TAs might be using the same\r\nattack vector (Oscorp) to carry over other malicious activities.\r\nPhishing campaigns were distributed via SMS messages (smishing), a common tactic nowadays for\r\nretrieving valid credentials and phone numbers\r\nA fake bank operator conducts attacks in real-time by persuading victims over the phone (vishing), a\r\ncommon tactic typically used for bypassing multi-factor authentication (e.g. OTP codes).\r\nOscorp appears to be distributed by this TA for gaining full remote access to the infected mobile device and\r\nperforming unauthorized bank transfers from the infected device itself, drastically reducing their\r\nfootprint since a new device enrollment is not required in this scenario.\r\nInstant Payments appears to be the most popular cash-out mechanism mainly routed through a network of\r\nmoney mules. We don’t exclude other cash-out mechanisms (e.g. virtual cards generation, prepaid cards\r\nrecharge, card-less ATM, etc..) since those services are quite common on modern retail banks services\r\nThe following image shows the timeline of captured events describing how this TA managed to retrieve valid\r\nbanking credentials via smishing and successfully deliver Oscorp to the victim device for performing an ATO\r\nfraud scenario directly from its infected device:\r\nFigure 1 – Timeline of events retrieved from this new Oscorp campaign\r\nMoving to the malware internals, we were able to extract multiple features of Oscorp which are mainly achieved\r\nby abusing the Android Accessibility services, a well-known technique used by the other families as well (e.g.\r\nAnubis, Cerberus/Alien, TeaBot [2],etc..).\r\nThe following snippet of code contains all the remote commands found in the Oscorp source code:\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 2 of 16\n\nFigure 2 – List of Oscorp commands\r\nAll the commands are encrypted through an AES routine, a well-known technique used by malware authors for\r\nslowing down analysts.\r\nThe complete list of commands found in Oscorp is available on Appendix 1.\r\nOscorp evolves into UBEL\r\nAfter an apparent stop of the initial activities, during May/June 2021, new Oscorp samples have been found in the\r\nwild, with some minor changes; at the same time, on multiple hacking forums, a new Android botnet known as\r\nUBEL started being promoted.\r\nBy analyzing some related samples, we found multiple indicators linking Oscorp and UBEL to the same malicious\r\ncodebase, suggesting a fork of the same original project or just a rebrand by other affiliates, as its source-code\r\nappears to be shared between multiple TAs.\r\nFigure 3 – UBEL private Android botnet threads found on multiple hacking forums\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 3 of 16\n\nFigure 4 – Video demo of UBEL botnet and its C2 interaction\r\nAfter a couple of weeks, we also noticed that the multiple UBEL clients started accusing them of scamming, as it\r\nappeared not to work on some specific Android devices, contrary to what the TA claimed initially.\r\nOne of those clients, after some debate, released some videos as proof of its claims without properly anonymize\r\nthem, exposing a valid C2 addresses, as shown:\r\nFigure 5 – Oscorp sample communicating with omegabots[.xyz\r\nAnother interesting links between Oscorp and UBEL, is the “bot id” string format, which consist in an initial\r\n“RZ-” substring followed by some random alphanumeric characters, as shown in another demo video posted\r\nonline:  \r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 4 of 16\n\nFigure 6 – Same “bot id” string prefix “RZ-” shared between Oscorp and UBEL\r\nAlso, on those newer Oscorp samples (linked to UBEL) we were able to identify different API endpoints and\r\ndifferent AES keys compared to the initial waves spotted at the very first of 2021, which will be described in the\r\nnext section.\r\nFigure 7 – Some new C2 path used by UBEL\r\nStatic Analysis\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 5 of 16\n\nThe following image shows a snippet of the AndroidManifest file:\r\nFigure 8 – List of permissions declared in theAndroidManifest.xml file\r\nIn the following table we included the most interesting permissions requested by Oscorp for getting access to\r\nrestricted parts of the Android system (e.g. READ_SMS, SEND_SMS) or other legitimate applications (e.g.\r\nBIND_ACCESSIBILITY_SERVICE):\r\nSYSTEM_ALERT_WINDOW: Allows an app to create windows shown on top of all other apps. Very\r\nfew apps should use this permission; these windows are  intended for system-level interaction with the\r\nuser. Oscorp uses this  permission during the installation phase to force the user to accept the  Accessibility\r\npermission.\r\nRECORD_AUDIO: Allows an app to record audio\r\nREAD_SMS: Allows an app to send SMS messages\r\nSEND_SMS:Allows an app to send SMS messages\r\nRECEIVE_SMS: Allows an app to receive SMS messages\r\nREQUEST_INSTALL_PACKAGES: Allows an application to request installing packages\r\nREQUEST_DELETE_PACKAGES: Allows an application to request deleting packages   \r\nRECEIVE_BOOT_COMPLETED: Allows an app to launch itself automatically after system boot.\r\nOscorp uses this permission to achieve persistence on the device and run in the background as an Android\r\nservice.   \r\nBIND_ACCESSIBILITY_SERVICE: “Accessibility services should only be used  to assist users with\r\ndisabilities in using Android devices and apps. They run in the background and receive callbacks by the\r\nsystem when AccessibilityEvents are fired. Such events denote some state transition in the user interface,\r\nfor example, the focus has changed, a button has been  clicked, etc. Such a service can optionally request\r\nthe capability for querying the content of the active window.”[3] However, Oscorp abused this permission\r\nto observe and retrieve information on  the compromised device\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 6 of 16\n\nOscorp implements a couple of techniques to slow down static analysis, such as:\r\nall the strings are obfuscated using an open-source implementation [4] but some strings (e.g. bot’s\r\ncommands, API endpoints, etc.) are also encrypted with AES and base64 encoding.\r\nnetwork communication between Oscorp and C2 are encrypted using only the AES algorithm and base64\r\nencoding on top of regular HTTP(s).\r\nFigure 9 – Oscorp encryption routine\r\nMoreover, strings obfuscation appears to be introduced only on certain samples of Oscorp[5], sharing the\r\nsame routine used by Cabassous (Flubot), another Android banking malware.\r\nFigure 10 – Comparing encryption routines of Oscorp and Cabassous\r\nFigure 11 – Network traffic encryption routines (AES algorithm)\r\nWebRTC – Web Real-Time Communication\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 7 of 16\n\n“WebRTC (Web Real-Time Communication) is a free, open-source project providing web browsers and\r\nmobile applications with real-time communication (RTC) via simple application programming\r\ninterfaces (APIs). It allows audio and video communication to work inside web pages by allowing\r\ndirect peer-to-peer communication, eliminating the need to install plugins or download native apps.\r\nThe technologies behind WebRTC are implemented as an open web standard and available as regular\r\nJavaScript APIs in all major browsers. For native clients, like Android and iOS applications, a library\r\nis available that provides the same functionality.” [6]\r\nWe assume that Oscorp integrated WebRTC for achieving a real-time interaction with the compromised\r\ndevice combined with the abuse of Android Accessibility Services bypassing the need of a “new device\r\nenrollment” to perform an Account Take over scenario (ATO). \r\nIn fact, the authors named this feature as ‘Reverse VNC’ (or RPM) on their C2 web-panel since a reverse\r\nconnection is necessary for bypassing NAT or firewall restrictions and live interaction with the device can be\r\nachieved via Android Accessibility Services.\r\nFigure 12 – ‘Reverse VNC’ function which enable WebRTC remote connection\r\nThe main goal for this TA by using this feature, is to avoid a “new device enrollment”, thus drastically\r\nreducing the possibility of being flagged ‘as suspicious’ since device’s fingerprinting indicators are well-known from the bank’s perspective.\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 8 of 16\n\nFigure 13 – Views of the UBEL C2 panel during a “Reverse VNC/RPM” attack\r\nDynamic Analysis\r\nWhen the malicious application has been downloaded on the device, it tries to be installed as an “Android\r\nService”, which is an application component that can perform long-running operations in the background.\r\nThis feature is abused by the Oscorp to silently hide itself from the user, once installed, also preventing\r\ndetection, and ensuring its persistence.\r\nDuring some campaigns spotted early in 2021, they switched the name of the malicious application from “Android\r\nSystem” to “Protezione Clienti” app (Figure 15):\r\nFigure 14 – Screenshots taken during installation phase of Oscorp\r\nFigure 15 – Application names used by Oscorp\r\nAfter the installation as “Android Service”, Oscorp will request the following permissions, which are mandatory\r\nto perform its malicious behavior:\r\nObserve your actions:\r\nUsed to intercept and observe the user action.\r\nRetrieve window content:\r\nUsed to retrieve sensitive information such as login credentials, SMS, two factor authentication (2FA)\r\ncodes from authenticators, etc.\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 9 of 16\n\nPerform arbitrary gestures:\r\nOscorp uses this feature to accept different kinds of permissions, immediately after the installation phase,\r\nfor example the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission popup, but also perform\r\ndifferent actions during the interaction with the compromised device through the WebRTC protocol.\r\nFigure 16 – List of Android permissions requested by Oscorp to the user\r\nOnce the requested permissions have been accepted, the malicious application will remove its icon from the\r\ndevice, and it immediately starts communicating with its C2 server in the background.\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 10 of 16\n\nNetwork communications performed by Oscorp to its C2 server are encrypted with the AES algorithm and at the\r\nvery first it tries to send all overall information of the newly infected device, such as vendor, public IP address, list\r\nof the installed apps, SMS messages, action performed by the user, etc.\r\nThe next figure is an example of a communication intercepted between Oscorp and its C2 server where the list of\r\nall the installed application was sent:\r\nFigure 17 – Example of network communication intercepted between Oscorp and its C2 server\r\nOscorp can also abuse the Android Accessibility Services to capture and retrieve whatever is on the screen of the\r\ndevice, for example:\r\n2FA codes (e.g. OTP) generated by banking applications during login authentication and while signing new\r\nbank transfers (e.g. instant payments, SEPA transfers, etc.)\r\nIntercepting notification and SMS messages\r\nPerforming Overlay attacks (described in the Appendix 2)\r\nEnabling a full interaction with the infected device (e.g. sending arbitrary clicks on screen, opening\r\narbitrary applications already installed, etc.)\r\nThe following figure shows how a new SMS received will be intercepted by Oscorp and send back to the designed\r\nC2 server:\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 11 of 16\n\nFigure18 – Example of SMS intercepted by Oscorp\r\nAppendix\r\nAppendix 1: list of bots’ commands\r\nBelow is the summary list of all the bot commands found on Oscorp:\r\ntoast: Show a simple feedback about an operation in a small popup.\r\nsend_message: Send an SMS message\r\nstock_injection: Save the injections (phishing html payload) provided by C2 in the Jedi / Injections.txt file\r\nforward_call: Call forwarding through the code *21* + number + ##\r\nrun_application: Run an application\r\nenab_sil: Mute the device (set to 0 the volume level of  the device)\r\nswitch_sms: Change the default SMS application with Oscorp (through\r\nandroid.provider.Telephony.ACTION_CHANGE_DEFAULT)\r\nremove_injection: Remove an injection\r\n2FA: Launch the Google 2FA app (then Oscorp is able to steal the codes abusing the Accessibility service)\r\nmake_call: Perform a call to someone\r\ndev_admin: Set itself as admin app\r\nrun_ussd: Allows itself to initiate a phone call without  going through the Dialer user interface for the user\r\nto confirm the call\r\nblock: Save the apps to be blocked in Jedi / block.txt  and start MyService\r\nlaunch_url: Launch and URL\r\nfetch_applications: Get the list of installed apps\r\ndelete_message: Remove an SMS\r\ndelete_application: Remove an application\r\nbatt_opt: Insert Oscorp app to a list of apps that ignore optimization battery\r\nurl_injection: Start the “ramp” class used to perform stream video of the screen and audio of the\r\ncompromised device\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 12 of 16\n\nscreencap: start to record the audio and video through the WebRTC and STUN protocols (the stun server\r\nare embedded in the code)\r\nAppendix 2: Overlay Attack’s technique\r\n“The Overlay attack is a well-known technique implemented on modern Android banking trojans (e.g. Anubis,\r\nCerberus/Alien) which consist of a malicious application somehow able to perform actions on behalf of the\r\nvictim. This usually takes the form of an imitation app or a WebView launched “on-top” of a legitimate\r\napplication (such as a banking app).”\r\nDuring our analysis we were able to extract more than 150 targeted applications.\r\nThe complete list of the geographical distribution of banks and other app targeted by Oscorp targeted apps is\r\navailable in the Appendix 4.\r\nFigure 19 – Some payloads used by Oscorp for “Overlay Attacks”\r\nAll the injections payloads which consist mainly of HTML, CSS and JS files, will be downloaded from the C2\r\nserver in a specific directory called\r\n_YTrJWNMmHkAPfdWA4QsfPwufCBhpYGbG.\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 13 of 16\n\nWhen this feature is requested remotely by the TA, if the victim opens one of the targeted applications, it will get\r\nthe injection payload shown in a WebView launched ‘on top’ of the legitimate application.\r\nFigure 20 – C2 path used to download stock injections payload for Overlay Attacks\r\nIn addition, analyzing one of the web-panel used by this TA, it is also possible to reconstruct this distinction\r\namong the different categories of targeted applications, such as:\r\nFigure 21 – Different types of targeted applications (Overlay Attacks)\r\nAppendix 3: Extracted IOCs\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 14 of 16\n\nMd5\r\n0d1df5c35c3c43e1b8bb7daec2495c06\r\nf73ebc6f645926bf8566220b14173df8\r\neaf0524ba3214b35a068465664963654\r\ndaba8377d281c48c1c91e2fa7f703511\r\n1d848ba69a966f9f0ebe46bcb89a10c4\r\n8daf9ba69c0dcf9224fd1e4006c9dad3\r\nde51b859f41b6a9138285cf26a1fad84\r\nApp names\r\nProtezione Cliente\r\nAndroid System\r\ndeneme\r\nPackage names\r\ncom.cosmos.starwarz\r\ncom.cosmos.starwarz\r\ncom.mapwqpdox201q.pla203eoaowpzmka\r\nycpgmsxy.rqhfesas\r\nC2 Domains\r\nmontanatony[.xyz     \r\nmarcobrando[.xyz\r\nquantumbots[.xyz\r\nsmoothcbots[.xyz\r\nomegabots[.xyz\r\ncallbinary.xyz\r\ngogleadser.xyz\r\nStock injection path\r\n/_YTrJWNMmHkAPfdWA4QsfPwufCBhpYGbG/LFwbkjNthZk9jDtvADjnS7FyUPcjKPpb_/\r\nAES keys\r\nRHBuUXFEhkrbrHaYIZ6VYH3uNIBRnwTe\r\n8HCTSX7IcbAkItzuS34zaVqUs4dMKSqV\r\nIn addition, The Android Banking Trojan Oscorp/Ubel is already classified and blacklisted in our Threat\r\nIntelligence data with the following tags:\r\nASK_BANKER_ANDROID_OSCORP_V1\r\nASK_BANKER_ANDROID_OSCORP_V2\r\nAppendix 4: Geographical distribution of banks and other app targeted by Oscorp\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 15 of 16\n\nFigure 22 – Geographical distribution of banks and other app targeted by OSCORP\r\n[1] https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/\r\n[2] https://www.cleafy.com/cleafy-labs/teabot\r\n[3] https://developer.android.com/reference/android/accessibilityservice/AccessibilityService\r\n[4] https://github.com/MichaelRocks/paranoid\r\n[5] Name:“secureapp.apk” MD5: daba8377d281c48c1c91e2fa7f703511\r\n[6] https://webrtc.org/\r\nSource: https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nhttps://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution"
	],
	"report_names": [
		"ubel-oscorp-evolution"
	],
	"threat_actors": [],
	"ts_created_at": 1775434476,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/70d27e0618c1e3860ce441d8978bdf8d82791805.pdf",
		"text": "https://archive.orkl.eu/70d27e0618c1e3860ce441d8978bdf8d82791805.txt",
		"img": "https://archive.orkl.eu/70d27e0618c1e3860ce441d8978bdf8d82791805.jpg"
	}
}