KevDroid is an Android remote access trojan (RAT) disguised as a fake antivirus app capable of exfiltration of data from an infected device. Once a device is infected, the malware attempts to gain root access to the device using a known android vulnerability CVE-2015-3636. KevDroid collects the location of the device every 10 seconds, collects a list of applications, and starts stealing information such call logs, SMS, emails, etc., using an HTTP POST request to send all the information back to the C2 server controlled by the attacker.

Technical Details

  • Cisco Talos researchers provides technical details, here