Android users beware: a new Android botnet called DAAM is distributed through Trojanized applications.
The DAAM Android botnet has a range of malicious features, including a keylogger, ransomware, VOIP call recordings, executing code at runtime, collecting browser history, recording incoming calls, stealing PII data, opening phishing URLs, capturing photos, stealing clipboard data, and switching WiFi and Data status.
Why DAAM Android botnet is a menace
The botnet offers a service allowing malicious actors to merge harmful code with a genuine application using an APK binding technique.
Recently, CRIL scrutinized an APK file called PsiphonAndroid.s.apk, which had a hash value of “184356d900a545a2d545ab96fa6dd7b46f881a1a80ed134db1c65225e8fa902b”.
The analysis revealed that this file contained malicious DAAM botnet code fused with a legitimate Psiphon application.
Upon analysis, it was discovered that the malware is designed to connect with the Command and Control (C&C) server through the address hxxp://192.99.251[.]51:3000.
The C&C server has been identified in multiple malicious applications, which were first detected in August 2021. This suggests that the DAAM Android botnet has been active since 2021, and it continues to pose a threat to Android users.
Technical analysis of DAAM Android botnet
CRIL conducted a thorough technical analysis of the DAAM Android botnet and discovered that a sample APK was infected with the botnet.
The malware establishes a socket connection with the Command and Control (C&C) server located at hxxp://192.99.251[.]51:3000 to receive commands for malicious activities.
The botnet employs the Accessibility Service to monitor users’ activities, capturing keystrokes along with the corresponding package name of the application and saving it into a database.
It uses the AES algorithm to encrypt files on the infected device and stores a ransom note in the “readme_now.txt” file.
Moreover, the botnet can monitor social media applications such as WhatsApp, Skype, Telegram, and others responsible for VOIP calls. If the user interacts with these components, the malware initiates audio recording.
The botnet can gather bookmarks and browsing history saved on the target device and send them to the C&C server.
It can also take over the victim’s device by executing code at runtime, stealing PII data, opening URLs, and capturing screenshots and photos.
To protect against this kind of malware, Android users should be careful when downloading and installing apps.
Only download from trusted sources and ensure that the app permissions requested are necessary for the app’s functionality.
Keep your device updated with the latest security patches, and use reputable antivirus software to safeguard your device against malicious attacks.