A newly identified Android remote access trojan (RAT) dubbed KomeX has surfaced on underground hacker forums, generating widespread concern within the cybersecurity community.
Marketed by a threat actor under the alias “Gendirector,” KomeX is built atop the infamous BTMOB RAT codebase and presents a formidable arsenal of spying and device control features.
Recognized for its sophistication, KomeX is designed to compromise Android devices en masse, making it an enticing tool for cybercriminals seeking to monetize mobile infections.
The malware’s distribution tactics rely heavily on malicious Android apps pushed via unofficial marketplace sources and phishing campaigns.
Victims are typically enticed to install tampered applications or unwittingly click on convincing social engineering lures.
What sets KomeX apart is its aggressive approach to obtaining device permissions almost immediately after installation, drastically expanding its reach and resilience once embedded in a target system.
KrakenLabs security analysts were instrumental in identifying and dissecting KomeX after its forum debut.
Their analysis revealed the trojan’s ability to bypass Google Play Protect, stripping Android devices of a fundamental protective barrier against malware.
Among its notable capabilities are high-fidelity live screen streaming, stealth audio and video capture via camera and microphone, instant access to SMS interception and manipulation, live geolocation tracking, remote control of all major apps, and full filesystem access layered with a covert keylogger.
The RAT is sold with tiered pricing: short-term access, lifetime updates, or full source code for criminal syndicates seeking custom modifications.
Infection Mechanism
Technically, KomeX maximizes its control by automatically requesting and securing invasive permissions through its AndroidManifest.xml configuration:-
Upon installation, KomeX abuses accessibility features to silently grant these permissions, enabling deep integration and persistent access.
To resist removal, KomeX employs a fake uninstall module — simulating app deletion but secretly continuing operations in the background.
Its infection lifecycle includes initial delivery, privilege escalation, secret data exfiltration, and durable anti-removal tactics, showcasing a complete, professional malware engineering approach.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
