Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Android Trojan Krysanec Comes Disguised as Legitimate Apps

Researchers at ESET have uncovered a new remote access Trojan (RAT) for Android that has been masked by cybercriminals as various popular applications.

Researchers at ESET have uncovered a new remote access Trojan (RAT) for Android that has been masked by cybercriminals as various popular applications.

The malware, detected by the security firm as Android/Spy.Krysanec, is capable of infiltrating both free and paid Android apps, and it has been distributed via a file sharing website, a Russian social network and other channels. It has been disguised as 3G Traffic Guard, a mobile banking app from Russia’s top lender Sberbank, and even ESET Mobile Security. However, unlike the legitimate programs, the trojanized versions are not signed with valid digital certificates.

According to ESET’s Robert Lipovsky, the malicious applications they have discovered actually contain the old multi-platform RAT known as Unrecom (previously known as Adwind). Trend Micro revealed back in April that the threat was upgraded to run on Android devices. At the time, the security firm also discovered that Unrecom worked as an APK binder, giving it the ability to trojanize legitimate applications.

Lipovsky told SecurityWeek that they have spotted tens of different trojanized applications, but ESET Mobile Security is the only security product whose reputation has been leveraged by the cybercriminals. The malware samples analyzed by the company appear to be targeting users mostly in Russia and Ukraine, the researcher said.

Once it finds itself on a device, the threat can be used to download and execute additional components that enable cybercriminals to perform various activities, like recording audio through the microphone, taking pictures, accessing text messages, obtaining the current GPS location, and collecting information on installed apps, placed calls and visited webpages.

Researchers have found that some of the samples communicate with a command and control (C&C) server hosted on a domain belonging to No-IP, the dynamic DNS provider whose domains were seized recently by Microsoft as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets. The domains were later returned to the DNS company and the case was dropped after Microsoft determined that No-IP was not knowingly facilitating the distribution of malware. 

“It’s a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious capabilities, and re-build it as new,” Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an emailed statement. “The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.