Full Report
CERT Polska analyzed a Booking themed Android malware chain delivered through phishing and a fake update website. The sample is a multistage dropper that installs a hidden accessibility controlled RAT with WebSocket C2.
Analysis Summary
# Tool/Technique: cifrat
## Overview
**cifrat** is a sophisticated, multistage Android Remote Access Trojan (RAT) and banker discovered in 2026. Distributed via a Booking.com-themed phishing campaign, the malware uses a series of nested droppers and native libraries to deploy a final payload that abuses Android Accessibility Services. It is designed for credential theft, financial fraud, and full remote device manipulation.
## Technical Details
- **Type:** Malware Family (RAT / Banker / Dropper)
- **Platform:** Android
- **Capabilities:** Accessibility Service abuse, overlay injection (HTML), screen streaming, SMS interception, keylogging, SOCKS5 tunneling, and remote gesture execution.
- **First Seen:** April 2026
## MITRE ATT&CK Mapping
- **[TA0042 - Resource Development]**
- [T1583.008 - Establish Accounts: Social Media Accounts] (Use of share.google redirects)
- **[TA0043 - Reconnaissance]**
- [T1594 - Search Victim-Owned Websites] (Impersonating Booking Pulse)
- **[TA0001 - Initial Access]**
- [T1566.002 - Phishing: Spearphishing Link]
- **[TA0005 - Defense Evasion]**
- [T1406 - Obfuscation] (Native library loaders, XOR/RC4 encrypted stages)
- [T1624.001 - OS Software Deprioritization: Disabling Software Updates]
- [T1418 - Software Discovery] (Checking for antivirus/debugging apps)
- **[TA0006 - Credential Access]**
- [T1417.001 - Input Injection] (HTML Overlays)
- [T1417.002 - Keylogging]
- **[TA0009 - Collection]**
- [T1636.004 - SMS Collection]
- [T1512 - Screen Capture] (Screen streaming via WebSockets)
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols] (WebSockets - WSS)
- [T1573 - Encrypted Channel]
## Functionality
### Core Capabilities
- **Multistage Dropping:** Uses an outer "Pulse" APK to decrypt a second-stage "Google Play Services" APK via a native library (`.so`), which then extracts the final RAT module.
- **Accessibility Service Abuse:** Exploits permissions to read screen content, intercept keystrokes, and interact with other apps without user consent.
- **HTML Injection:** Displays fake login windows over legitimate banking and travel apps to harvest credentials.
- **SMS Interception:** Captures incoming messages, likely to bypass Two-Factor Authentication (2FA).
- **C2 Communication:** Utilizes two distinct WebSocket channels (Control and Data) for low-latency remote command execution.
### Advanced Features
- **SOCKS5 Tunneling:** Includes a built-in proxy server capability to relay network traffic through the infected device, useful for bypassing geo-fencing or fraud detection systems.
- **Remote Control:** Supports real-time screen streaming, camera access, and the ability to perform remote gestures (taps/swipes).
- **Anti-Analysis:** The native loader contains logic to detect emulators and analysis environments before proceeding with the infection.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `d408588683b4e66bfe0b5bb557999844fe52d1bfbda6836a48e15290082a5d42` (Outer APK)
- `f9c176f04b7c4061480c037abd2e6aebb4b9b056952a29585c8b448b8ec81a0e` (Native Library)
- `0cf04d3a3a5a148f6f707cd2bc24b38179e0dc4252b4706f77a4d5498cf2c3e9` (Stage 2 APK)
- **File Names:**
- `com.pulsebookmanager.helper.apk`
- `l0a0cac5c.so`
- `FH.svg` (Encrypted stage 3 asset)
- **Network Indicators:**
- `share[.]google/Yc9fcYQCgnKxNfRmH`
- `booking[.]interaction[.]lat`
- `aplication[.]digital/receiving/stats/`
- `otptrade[.]world` (C2 Server)
- `wss://otptrade[.]world:8443`
- `wss://otptrade[.]world:8444`
## Associated Threat Actors
- **Unknown:** While the campaign targets users of Booking.com and uses sophisticated Android RAT techniques often seen in Brazilian or Eastern European underground forums, no specific group has been attributed.
## Detection Methods
- **Behavioral Detection:** Monitor for apps requesting Accessibility Services and immediately attempting to establish WebSocket connections to non-standard ports (e.g., 8443, 8444).
- **Signature-based:** Detect the presence of the native library `l0a0cac5c.so` or the package name `io.cifnzm.utility67pu`.
- **System Monitoring:** Look for unexpected screen recording icons or high data usage by apps disguised as "Google Play Services" or "System Updates."
## Mitigation Strategies
- **User Education:** Advise against clicking links in emails requesting "security updates" for mobile apps.
- **Source Verification:** Only download applications from the official Google Play Store.
- **Permission Hardening:** Users should be wary of any application—especially those claiming to be utilities or players—that requests "Accessibility" or "Device Admin" permissions.
- **MDM/EDR:** Deploy mobile endpoint security solutions that can identify and block known malicious C2 domains and detect overlay attacks.
## Related Tools/Techniques
- **TeaBot / Anatsa:** Similar banking RATs that abuse Accessibility Services for credential theft.
- **Overlay Attacks:** A common technique used by mobile banking Trojans to phish credentials.
- **WebSocket C2:** Increasingly common in mobile malware for real-time remote control.