DocSwap Android malware variant with encrypted APK loading and RAT capabilities
Malware Activity
Summary
Hide ▲
Show ▼
A new DocSwap Android malware variant now uses encrypted APK loading to gain RAT capabilities on Android devices. Victims are lured through QR-code phishing and fake delivery tracking flows that push them to install SecDelivery.apk. Once installed, the malware can collect device data and accept remote commands, increasing the risk of device compromise and credential theft.
Related Happenings
BTMOB Android RAT no-code builder malware activity
Malware Activity
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: The **BTMOB** Android RAT is spreading through **phishing campaigns** across **Brazil and beyond**, raising the risk of **custom payload delivery** and **remote device takeover**....
BirdCall Android spyware variant
Malware Activity
First: 05.05.2026 12:04
Last: 05.05.2026 12:04
Sources 1
About this happening:
The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
BirdCall Android spyware variant
Malware ActivityAbout this happening: The **BirdCall** Android spyware variant expanded a known **Windows** backdoor into a mobile surveillance tool with **file exfiltration** and device reconnaissance capabilities. I...
NoVoice Android malware hidden in Google Play apps
Malware Activity
First: 01.04.2026 21:07
Last: 01.04.2026 21:07
Sources 1
About this happening:
**NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
NoVoice Android malware hidden in Google Play apps
Malware ActivityAbout this happening: **NoVoice** Android malware was found hidden in **more than 50 Google Play apps**, exposing **at least 2.3 million downloads** to compromise. After installation, it used **old And...
Perseus Android note-stealing and remote-control malware activity
Malware Activity
First: 19.03.2026 12:13
Last: 19.03.2026 12:13
Sources 1
About this happening:
The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...
Perseus Android note-stealing and remote-control malware activity
Malware ActivityAbout this happening: The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...
IPTV app lure campaign distributing Massiv Android banking malware
Campaign
First: 19.03.2026 12:13
Last: 19.03.2026 12:13
Sources 1
About this happening:
A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
IPTV app lure campaign distributing Massiv Android banking malware
CampaignAbout this happening: A **recent IPTV app lure campaign** is distributing **Massiv Android banking malware**, putting users who seek **free or low-cost live sports broadcasts** at risk of device compro...
Timeline
-
18.12.2025 09:43 2 articles · 5mo ago
Kimsuky-linked DocSwap QR-phishing campaign disclosed
Initial DisclosureKimsuky-linked operators distributed a new DocSwap Android malware variant through QR-code phishing pages impersonating CJ Logistics and other delivery-themed services, using notification pop-ups and a fake shipment-tracking flow to push installation of SecDelivery.apk. After installation, the malware decrypts an embedded APK, registers com.delivery.security.MainService, and provides RAT capabilities for keystroke logging, audio capture, camera control, command execution, file operations, and collection of location, SMS messages, contacts, call logs, and installed apps. Related artifacts also included a trojanized BYCOM VPN package and phishing pages impersonating Naver and Kakao.
Show sources
- Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App — thehackernews.com — 18.12.2025 09:43
- Kimsuky Spreads DocSwap Android Malware via QR Phishing Posing as Delivery App — thehackernews.com — 18.12.2025 09:43