Analysis Summary

DocSwap is a newly discovered Android malware campaign that disguises itself as a legitimate document security and viewing application. It primarily spreads through phishing emails and compromised websites, tricking users into installing what appears to be a productivity tool. Once installed, the malware requests excessive permissions, including access to contacts, storage, and SMS, allowing it to exfiltrate sensitive data.

Security analysts Security have observed a rapid increase in infections across Asia, Europe, and North America over the past three weeks.

According to the Researcher, this malware employs advanced evasion techniques, including obfuscation and a delayed payload decryption mechanism, to bypass sandbox analysis and security detection. Its core functionality relies on a native library that exfiltrates device information, contact lists, and SMS messages to a command-and-control (C2) server using an encrypted communication protocol. This ensures that the malicious traffic appears legitimate, making detection difficult. Additionally, the malware continues to function as a document viewer, further deceiving users while executing its malicious operations in the background.

A detailed network analysis revealed that DocSwap’s C2 servers are primarily located in Eastern Europe and Southeast Asia. The malware uses a custom protocol designed to mimic HTTPS traffic, adding another layer of stealth. One of its most dangerous capabilities is the interception and forwarding of authentication SMS messages, which could compromise two-factor authentication (2FA) security measures. This feature significantly increases the threat level, as attackers can gain unauthorized access to sensitive accounts.

To mitigate the risks posed by DocSwap, users are advised to avoid installing applications from unverified sources and enable Google Play Protect. Security experts recommend the immediate removal of any suspicious document-related apps and running a full system scan with trusted antivirus software. Organizations should also educate users on social engineering tactics and implement strict security policies to prevent such malware infections.

Impact

• Exfiltrating Sensitive Information
• Gain Access
• Security Bypass
• Privilege Escalation

Indicators of Compromise

SHA1

• 643ecf86671b5f9fd5793a9316b013b3914618d4

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Remove any suspicious document-viewing applications, especially those not downloaded from official app stores.
• Use reputable mobile security software to scan for and remove any traces of malware.
• Check app permissions and revoke access to contacts, SMS, and storage for any untrusted applications.
• Ensure Google Play Protect is activated to detect and prevent harmful applications.
• Regularly update the Android operating system and all installed applications to patch security vulnerabilities.
• Use a mobile firewall or security tool to detect unusual network activity and block suspicious connections.
• If infection is suspected, immediately change passwords for sensitive accounts and enable multi-factor authentication (MFA) with an authenticator app instead of SMS.
• Restrict app installations to the Google Play Store by disabling the “Install from Unknown Sources” option in device settings.
• Raise awareness about phishing tactics and advise users not to download applications from unknown links or email attachments.
• Organizations should deploy MTD solutions to detect and mitigate mobile malware threats in enterprise environments.
• Check for unexpected SMS messages, as the malware may attempt to intercept authentication codes.
• If the device continues to behave suspiciously after remediation efforts, perform a factory reset to remove all malware traces.