TaxiSpy RAT

TaxiSpy RAT is an Android remote access trojan and banking malware family observed targeting Russian financial users, including Russian banks and financial institutions such as Alfa-Bank, as well as cryptocurrency, government, marketplace, and other sensitive apps. It combines banking-trojan functionality with full RAT capabilities and is described as a highly advanced Android banking malware.

Its capabilities include abuse of Android Accessibility Services and the MediaProjection API to capture inputs, keystrokes, lock-screen PINs, clipboard contents, SMS, contacts, call logs, installed apps, and notifications; automate actions; conduct VNC-like screen streaming and remote control; and hinder removal. It attempts to set itself as the default SMS handler to intercept SMS messages and one-time passwords. It also performs device reconnaissance, collecting device model, OS version, SIM data, and installed application information, and checks for targeted banking, government, crypto, and marketplace apps.

For credential theft and fraud, TaxiSpy RAT serves overlays against targeted Russian banking, cryptocurrency, and government applications to steal credentials. It uses Firebase push messages / Firebase Cloud Messaging as an auxiliary command channel, and communicates with command-and-control infrastructure via HTTP POST, WebSocket connections, and Firebase. The malware uses native-code obfuscation, including a native library named libsysruntime.so, to store sensitive logic and encrypted configuration values such as C2 addresses, Firebase credentials, bot identifiers, and worker keys, reportedly protected with customized XOR routines.

High-confidence indicators mentioned in the content include sample hash 67d5d8283346f850eb560f10424ea5a9ccdca5e6769fbbbf659a3e308987cafd and C2 IP 193.233.112.229. CYFIRMA highlighted TaxiSpy RAT as an active malware family, and Zimperium also reported on it in the context of newly identified Android malware families.