DroidJack
DroidJack is an Android remote access trojan/spyware family. The provided content states it captures SMS data and call data, and can capture video using device cameras. In the documented 2015 Syria-focused intrusion operation attributed to "Group5," an Android APK masquerading as an Adobe Flash Player update (adobe_flash_player.apk, MD5 8EBEB3F91CDA8E985A9C61BEB8CDDE9D) was identified as DroidJack. Symantec is cited as assessing that DroidJack evolved from the older SandroRAT codebase. In that campaign, DroidJack was used against Syrian opposition targets and provided surveillance capabilities including SMS and call logging, contacts theft, file browsing, location tracking, and remote camera/microphone activation. The Android malware used the same command-and-control host as the associated Windows malware: 88.198.222.163 (Hetzner, Germany). High-confidence indicators and related infrastructure mentioned in the content include 88.198.222.163 and the APK MD5 8EBEB3F91CDA8E985A9C61BEB8CDDE9D.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The APK is an instance of DroidJack. According to Symantec, this malware evolved from an older codebase known as SandroRAT."
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique"we uncovered a watering hole website with malicious programs, malicious PowerPoint files, and Android malware" ... "Group5 operated a website, assadcrimes[.]info that served as a watering hole for Android and Windows malware"
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
2 techniques"decoy application... displays images... while simultaneously infecting"; "malware masquerading as an Adobe Flash Player update notification"; "drops a file named dvm.gif to disk, renames it to dvm.exe"
"Upon execution, the malware is installed and then hidden from the list of installed applications... Application icon will be removed... yet it will still be running in the background"
Collection
2 techniques"spy on the computer user via the microphone"; "Remote camera and microphone"; "record calls"
"spy on the computer user via the ... webcam"; "allow the operator to use the infected device’s camera to take pictures and record video"
Command and Control
1 technique"deliver two commonly available Remote Access Trojans (RATs): njRat and NanoCore RAT"; "The APK is an instance of DroidJack"
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android RAT masquerading as an Adobe Flash Player update APK; hides its icon, persists via boot receiver, and enables extensive device surveillance (SMS/calls/contacts/files/location, remote camera/mic; some features require root). Configured to use 88.198.222[.]163 for C2.
Android malware that can capture video through device cameras.
Android malware that captures SMS data.
Remote access trojan that captures call data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.