# Bitter APT group using “Dracarys” Android Spyware

**[blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/](https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/)**

## Android Malware Disguised as a Messaging Application


August 9, 2022


[During our routine threat hunting exercise, Cyble Research Labs came across an article wherein the](https://about.fb.com/news/2022/08/metas-adversarial-threat-report-q2-2022/)
researchers mentioned Bitter APT delivering the Android Spyware “Dracarys.” Bitter aka T-APT-17 is a
well-known Advanced Persistent Threat (APT) group active since 2013 and operates in South Asia. It has
been observed targeting China, India, Pakistan, and other countries in South Asia.

The Bitter APT is actively involved in both desktop and mobile malware campaigns and uses techniques
like spear phishing emails, exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) and
other malware families.

Dracarys Android Spyware impersonates genuine applications such as Signal, Telegram, WhatsApp,
YouTube, and other chat applications and distributes through phishing sites.

During analysis, we observed that one of the phishing sites is still live and distributing Dracarys. The
phishing site mimics the genuine Signal site and delivers a trojanized Signal app.


-----

_Figure 1 – Phishing site which distributes Dracarys malware_
Upon in-depth analysis of the malware, we observed that the Threat Actor (TA) had inserted the malicious
code into the Signal app source code to avoid being detected. The below image showcases the extra
added spyware module “org.zcode.dracarys” in the trojanized version of the Signal App.

_Figure 2 –_

_Comparison of the genuine and trojanized Signal App_


-----

## Technical Analysis

### APK Metadata Information 

App Name: Signal
Package Name: org.thoughtcrime.securesms.app
SHA256 Hash: d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003

Figure 3 shows the metadata information of the application.

_Figure 3 – App Metadata Information_

### Manifest Description

The malicious application mentions 24 permissions, of which the TA exploits 10. The harmful permissions
requested by the malware are:

**Permission** **Description**

**READ_CONTACTS** Access phone contacts

**RECEIVE_SMS** Allows an application to receive SMS messages

**READ_SMS** Access phone messages

**CAMERA** Required to access the camera device.

**READ_CALL_LOG** Access phone call logs

**READ_EXTERNAL_STORAGE** Allows the app to read the contents of the device’s external storage

**RECORD_AUDIO** Allows the app to record audio with the microphone, which the
attackers can misuse

**WRITE_EXTERNAL_STORAGE** Allows the app to write or delete files to the external storage of the
device

**CALL_PHONE** Allows an application to initiate a phone call without going through
the Dialer user interface for the user to confirm the call

**ACCESS_FINE_LOCATION** Allows an app to access precise location

### Source Code Review 

The trojanized version of the Signal application has registered the Accessibility Service in the Manifest
file. The malware abuses the Accessibility permissions


-----

such as auto granting permission to run the application in the background, activating Device Admin, and
performing auto clicks.

_Figure 4 – Malware abusing Accessibility Service_
The malware connects to the Firebase server and receives the commands to execute operations for
collecting the data from the victim’s device, as shown in the below image.

_Figure 5 – Receiving commands from the Firebase server_
The malware collects all the contacts from the infected device and sends them to the Command and
Control (C&C) server “hxxps://signal-premium-app[.]org“.


-----

_Figure 6 – Malware sending contact list to the C&C server_
Similarly, the malware collects SMS data, call logs, installed applications list, and files present on the
infected device after receiving a command from the C&C server, as shown in Figures 7 through 10.

_Figure 7 – Collecting call logs from the infected device_


-----

_Figure 8 – Collecting installed application list_

_Figure 9 – Collecting SMS list from an infected device_


-----

_Figure 10 – Collecting files present in the victim’s device_
The malware registers the “DracarysReceiver” broadcast receiver, which receives the event from the
Firebase server and starts collecting Personal Identifiable Information (PII) data from the infected device,
as shown below.

_Figure 11 – Dracarys receiver to send updated PII data_
The malware can capture screenshots and record audio to spy on the victim’s device. The below figure
shows the code used by the malware to send captured screenshots and recordings to its C&C server.


-----

_Figure 12 – Collecting recordings and captured screenshots_
The image below shows the C&C server and the URL path to which the stolen data is sent.

_Figure 13 – C&C server and endpoints_

## Conclusion

According to our research, the TA has injected malicious code into genuine messaging applications such
as Signal. The TA also distributed the malware through a phishing site masquerading as a genuine
website that tricks users into downloading a trojanized version of popular messaging applications.


-----

We have observed Bitter APT continuously attacking South Asian countries and changing its mode of
attack with each new campaign. In this campaign, Bitter APT used a sophisticated phishing attack to
infect devices with Dracarys Android Spyware.

In the coming days, we may observe a change in the Bitter APT group’s activities, with different malware
variants, enhanced techniques, and distribution modes.

## Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against
attackers. We recommend that our readers follow the best practices given below:

**How to prevent malware infection?**

Download and install software only from official app stores like Play Store or the iOS App Store.
Use a reputed anti-virus and internet security software package on your connected devices, such as
PCs, laptops, and mobile devices.
Use strong passwords and enforce multi-factor authentication wherever possible.
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile
device where possible.
Be wary of opening any links received via SMS or emails delivered to your phone.
Ensure that Google Play Protect is enabled on Android devices.
Be careful while enabling any permissions.
Keep your devices, operating systems, and applications updated.

**How to identify whether you are infected?**

Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions
accordingly.

**What to do when you are infected?**

Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the
Mobile Data.
Perform a factory reset.
Remove the application in case a factory reset is not possible.
Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

**What to do in case of any fraudulent transaction?**

In case of a fraudulent transaction, immediately report it to the concerned bank.

**What should banks do to protect their customers?**

Banks and other financial entities should educate customers on safeguarding themselves from
malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

**Tactic** **Technique ID** **Technique Name**


-----

**Initial Access** [T1476](https://attack.mitre.org/versions/v7/techniques/T1476/) Deliver Malicious App via Other Mean.

**Initial Access** [T1444](https://attack.mitre.org/versions/v7/techniques/T1444) Masquerade as Legitimate Application

**Collection** [T1412](https://attack.mitre.org/techniques/T1412) Capture SMS Messages

**Collection** [T1432](https://attack.mitre.org/techniques/T1432/) Access Contacts List

**Collection** [T1433](https://attack.mitre.org/versions/v7/techniques/T1433/) Access Call Logs

**Collection** [T1517](https://attack.mitre.org/versions/v7/techniques/T1517/) Access Notifications

**Collection** [T1533](https://attack.mitre.org/versions/v7/techniques/T1533/) Data from Local System

**Collection** [T1429](https://attack.mitre.org/versions/v7/techniques/T1429/) Capture Audio

**Exfiltration** [T1437](https://attack.mitre.org/versions/v10/techniques/T1437) Standard Application Layer Protocol

## Indicators of Compromise (IOCs)

**Indicators** **Indicator**
**Type**


**Description**


**d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003** SHA256 Hash of the
analyzed
APK file

**2c60fbb9eb22d0eb5e62f15d1e49028944c3ff51** SHA1 Hash of the
analyzed
APK file

**761705bd1681b94e991593bdcf190743** MD5 Hash of the
analyzed
APK file

**hxxps://signal-premium-app[.]org** URL C&C server

**hxxps://signalpremium[.]com/** URL Malware
distribution
site

**43e3a0b0d5e2f172ff9555897c3d3330f3adc3ac390a52d84cea7045fbae108d** SHA256 Hash of the
analyzed
APK file

**a35653c3d04aaaa76266db6cd253f086872a5d27** SHA1 Hash of the
analyzed
APK file

**d9a39c41e9f599766b5527986e807840** MD5 Hash of the
analyzed
APK file

**hxxp://94[.]140.114[.]22:41322** URL C&C server


-----

**220fcfa47a11e7e3f179a96258a5bb69914c17e8ca7d0fdce44d13f1f3229548** SHA256 Hash of the
analyzed
APK file

**04ec835ae9240722db8190c093a5b2a7059646b1** SHA1 Hash of the
analyzed
APK file

**07532dea34c87ea2c91d2e035ed5dc87** MD5 Hash of the
analyzed
APK file

**hxxps://youtubepremiumapp[.]com/** URL C&C server


-----