Cyble - Bitter APT Group Using "Dracarys" Android Spyware
Published: 2022-08-09 · Archived: 2026-04-05 15:18:25 UTC
Cyble analyzes the Bitter APT group leveraging trojanized Messaging Apps to deliver Dracarys Android Malware.
Android Malware Disguised as a Messaging Application
During our routine threat hunting exercise, Cyble Research Labs came across an article wherein the researchers
mentioned Bitter APT delivering the Android Spyware “Dracarys.” Bitter aka T-APT-17 is a well-known Advanced
Persistent Threat (APT) group active since 2013 and operates in South Asia. It has been observed targeting China,
India, Pakistan, and other countries in South Asia.
The Bitter APT is actively involved in both desktop and mobile malware campaigns and uses techniques like spear
phishing emails, exploiting known vulnerabilities to deliver Remote Access Trojan (RAT) and other malware
families.
World's Best AI-Native Threat Intelligence
Dracarys Android Spyware impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and
other chat applications and distributes through phishing sites.
During analysis, we observed that one of the phishing sites is still live and distributing Dracarys. The phishing site
mimics the genuine Signal site and delivers a trojanized Signal app.
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 1 of 11

Figure 1 – Phishing site which distributes Dracarys malware
Upon in-depth analysis of the malware, we observed that the Threat Actor (TA) had inserted the malicious code into
the Signal app source code to avoid being detected. The below image showcases the extra added spyware module
“org.zcode.dracarys” in the trojanized version of the Signal App.
Figure 2 – Comparison of the genuine and trojanized Signal App
Technical Analysis
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 2 of 11

APK Metadata Information   
App Name: Signal
Package Name: org.thoughtcrime.securesms.app
SHA256 Hash: d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003
Figure 3 shows the metadata information of the application.  
Figure 3 – App Metadata Information 
Manifest Description  
The malicious application mentions 24 permissions, of which the TA exploits 10. The harmful permissions requested
by the malware are:  
Permission   Description 
READ_CONTACTS Access phone contacts
RECEIVE_SMS Allows an application to receive SMS messages
READ_SMS Access phone messages
CAMERA Required to access the camera device.
READ_CALL_LOG Access phone call logs
READ_EXTERNAL_STORAGE
Allows the app to read the contents of the device’s
external storage
RECORD_AUDIO
Allows the app to record audio with the microphone,
which the attackers can misuse
WRITE_EXTERNAL_STORAGE
Allows the app to write or delete files to the external
storage of the device
CALL_PHONE Allows an application to initiate a phone call without
going through the Dialer user interface for the user to
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 3 of 11

confirm the call
ACCESS_FINE_LOCATION Allows an app to access precise location
Source Code Review  
The trojanized version of the Signal application has registered the Accessibility Service in the Manifest file. The
malware abuses the Accessibility permissions
such as auto granting permission to run the application in the background, activating Device Admin, and performing
auto clicks.
Figure 4 – Malware abusing Accessibility Service
The malware connects to the Firebase server and receives the commands to execute operations for collecting the
data from the victim’s device, as shown in the below image.
Figure 5 – Receiving commands from the Firebase server
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 4 of 11

The malware collects all the contacts from the infected device and sends them to the Command and Control (C&C)
server “hxxps://signal-premium-app[.]org“.
Figure 6 – Malware sending contact list to the C&C server
Similarly, the malware collects SMS data, call logs, installed applications list, and files present on the infected
device after receiving a command from the C&C server, as shown in Figures 7 through 10.
Figure 7 – Collecting call logs from the infected device
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 5 of 11

Figure 8 – Collecting installed application list
Figure 9 – Collecting SMS list from an infected device
Figure 10 – Collecting files present in the victim’s device
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 6 of 11

The malware registers the “DracarysReceiver” broadcast receiver, which receives the event from the Firebase server
and starts collecting Personal Identifiable Information (PII) data from the infected device, as shown below.
Figure 11 – Dracarys receiver to send updated PII data
The malware can capture screenshots and record audio to spy on the victim’s device. The below figure shows the
code used by the malware to send captured screenshots and recordings to its C&C server.
Figure 12 – Collecting recordings and captured screenshots
The image below shows the C&C server and the URL path to which the stolen data is sent.
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 7 of 11

Figure 13 – C&C server and endpoints
Conclusion 
According to our research, the TA has injected malicious code into genuine messaging applications such as Signal.
The TA also distributed the malware through a phishing site masquerading as a genuine website that tricks users into
downloading a trojanized version of popular messaging applications.
We have observed Bitter APT continuously attacking South Asian countries and changing its mode of attack with
each new campaign. In this campaign, Bitter APT used a sophisticated phishing attack to infect devices with
Dracarys Android Spyware.
In the coming days, we may observe a change in the Bitter APT group’s activities, with different malware variants,
enhanced techniques, and distribution modes.
Our Recommendations 
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We
recommend that our readers follow the best practices given below:   
How to prevent malware infection? 
Download and install software only from official app stores like Play Store or the iOS App Store. 
Use a reputed anti-virus and internet security software package on your connected devices, such as PCs,
laptops, and mobile devices. 
Use strong passwords and enforce multi-factor authentication wherever possible. 
Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device
where possible. 
Be wary of opening any links received via SMS or emails delivered to your phone. 
Ensure that Google Play Protect is enabled on Android devices. 
Be careful while enabling any permissions. 
Keep your devices, operating systems, and applications updated. 
How to identify whether you are infected? 
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 8 of 11

Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 
What to do when you are infected? 
Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile
Data. 
Perform a factory reset. 
Remove the application in case a factory reset is not possible. 
Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 
What to do in case of any fraudulent transaction? 
In case of a fraudulent transaction, immediately report it to the concerned bank. 
What should banks do to protect their customers? 
Banks and other financial entities should educate customers on safeguarding themselves from malware
attacks via telephone, SMS, or emails. 
MITRE ATT&CK® Techniques 
Tactic Technique ID Technique Name
Initial Access T1476 Deliver Malicious App via Other Mean.
Initial Access T1444 Masquerade as Legitimate Application
Collection T1412 Capture SMS Messages
Collection T1432 Access Contacts List
Collection T1433 Access Call Logs
Collection T1517 Access Notifications
Collection T1533 Data from Local System
Collection T1429 Capture Audio
Exfiltration T1437 Standard Application Layer Protocol
Indicators of Compromise (IOCs) 
Indicators
Indicator
Type
Description
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 9 of 11

d16a9b41a1617711d28eb52b89111b2ebdc25d26fa28348a115d04560a9f1003 SHA256
Hash of the
analyzed
APK file
2c60fbb9eb22d0eb5e62f15d1e49028944c3ff51 SHA1
Hash of the
analyzed
APK file 
761705bd1681b94e991593bdcf190743 MD5
Hash of the
analyzed
APK file
hxxps://signal-premium-app[.]org URL C&C server
hxxps://signalpremium[.]com/ URL
Malware
distribution
site
43e3a0b0d5e2f172ff9555897c3d3330f3adc3ac390a52d84cea7045fbae108d SHA256
Hash of the
analyzed
APK file
a35653c3d04aaaa76266db6cd253f086872a5d27 SHA1
Hash of the
analyzed
APK file 
d9a39c41e9f599766b5527986e807840 MD5
Hash of the
analyzed
APK file
hxxp://94[.]140.114[.]22:41322 URL C&C server
220fcfa47a11e7e3f179a96258a5bb69914c17e8ca7d0fdce44d13f1f3229548 SHA256
Hash of the
analyzed
APK file
04ec835ae9240722db8190c093a5b2a7059646b1 SHA1
Hash of the
analyzed
APK file 
07532dea34c87ea2c91d2e035ed5dc87 MD5
Hash of the
analyzed
APK file
hxxps://youtubepremiumapp[.]com/ URL C&C server
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 10 of 11

Source: https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
https://blog.cyble.com/2022/08/09/bitter-apt-group-using-dracarys-android-spyware/
Page 11 of 11