Cifrat¶
Cifrat is a feature-rich Android RAT analyzed by CERT Polska in April 2026 distributed through Booking.com-themed phishing. It deploys through a four-stage encrypted chain, from a dropper with JNI-backed string decoding through XOR and RC4-encrypted payloads to a full remote access implant. Cifrat uses a dual WebSocket architecture with separate control (port 8443) and data (port 8444) channels, supports 35+ control message types and 40+ data message types, and includes a SOCKS5 tunneling capability that turns infected devices into network proxies.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | April 2026 |
| Status | Active |
| Type | RAT, banking trojan |
| Attribution | Unknown |
| Distribution | Booking.com phishing via booking.interaction.lat |
| Target Region | International (no country-specific targeting) |
Distribution¶
Cifrat spreads through phishing emails that redirect victims through a Google share link (share.google) to a spoofed Booking.com domain. The landing page presents a fake security update prompt via a custom WebView with a JavaScript bridge that fingerprints the device before triggering the APK download.
| Stage | Details |
|---|---|
| Phishing email | Social engineering lure |
| Redirect | https://share.google/Yc9fcYQCgnKxNfRmH |
| Landing page | https://booking.interaction.lat/starting/ |
| Lure | Fake "Pulse" app branded as Booking.com security update |
| Install | Sideload via browser download |
The JavaScript bridge exposes a get_SYSINFO() method that collects SDK level, model, manufacturer, language, and country before the start() method triggers APK installation.
Multi-Stage Deployment Chain¶
| Stage | Component | Encryption | Output |
|---|---|---|---|
| 0 | com.pulsebookmanager.helper (dropper, label "Pulse") |
None | Loads native library |
| 1 | l0a0cac5c.so (4 architecture variants: a32, a64, x86, x64) |
JNI XOR decoder: ((byte - offset_i) & 0xff) ^ key |
Decodes strings, anti-debug checks |
| 2 | res/raw/init_bundle_uzge.bin → io.cifnzm.utility67pu (label "Google Play Services") |
32-byte XOR key: f324c3e6d1...f0a8 |
Full APK with malicious manifest |
| 3 | FH.svg asset → classes.dex + classes2.dex |
RC4 variant with key mLYQ, 256-element S-box |
Final RAT core |
Stage 0 uses PackageInstaller.Session API for background APK installation. The dropper's application class v0a0cac5c.l0a0cac5c bootstraps via attachBaseContext. Stage 2's Cgridthey application class extracts and decrypts the FH.svg asset, then injects the resulting DEX files via class loader patching.
Anti-Analysis¶
| Technique | Details |
|---|---|
| Debugger detection | /proc/self/maps scanning for libjdwp.so |
| Frida detection | Native string checks for Frida artifacts |
| Emulator detection | Recovered from native library strings |
| JNI abort | JNI_OnLoad returns 0xffffffff when debugger detected |
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Keylogging | Targets critical packages: systemui, settings, bank, pay, wallet, crypto, binance, coinbase, whatsapp, telegram, messenger |
| Screen capture | MediaProjection via ScreenSharingService, configurable quality and frameRate |
| Overlay attacks | HTML injection via HtmlOverlayActivity, template-based, per-package configuration |
| SMS interception | SmsCollectionService + SmsReceivedReceiver (priority 999) |
| Camera capture | CameraService with frame streaming to data channel |
| Lock credential capture | Dedicated activities: PatternLockActivity, PINLockActivity, PasswordLockActivity |
| SOCKS5 proxy | Bearer token auth, device metadata handshake, TLS config, relay host/port |
| Device admin abuse | DeviceAdminReceiver for anti-uninstall |
| App enumeration | Installed application listing via QUERY_ALL_PACKAGES |
Lock Screen Credential Capture¶
Cifrat includes three dedicated activities for capturing device unlock credentials, each matching a different lock type. Unlike families that use a single HTML-based fake lock screen (e.g. TrickMo, TsarBot), Cifrat implements native Android activities per lock type, providing more convincing replicas of the system unlock screens.
SOCKS5 Tunneling¶
The SOCKS5 tunnel turns infected devices into network proxies. The implementation includes bearer token authentication, device metadata exchange during handshake (device_id, model, android_version, manufacturer), TLS configuration options, and relay host/port configuration. This enables operators to route traffic through the victim's IP address for fraud or further attacks. Other families with SOCKS5 capability include Anubis, Hydra, and LokiBot.
Uninstall and Permission Protection¶
Cifrat actively monitors and defends its installation state:
| Mechanism | Details |
|---|---|
| Uninstall protection | Device admin + accessibility-based removal prevention, togglable via C2 (enableUninstallProtection/disableUninstallProtection commands) |
| Permission loss monitoring | Continuous monitoring for revoked permissions with automatic recovery attempts |
| Notification persistence | Survives notification dismissal |
| Alarm persistence | AlarmManager-based scheduled tasks |
| WebSocket health monitoring | Automatic reconnection with failure tracking and recovery reports |
| Service health monitoring | Dedicated health monitoring loop for all persistent services |
C2 Architecture¶
Dual WebSocket Channels¶
Cifrat separates control and data traffic across two dedicated WebSocket connections, each on its own port.
| Channel | Endpoint | Message Types |
|---|---|---|
| Control | wss://otptrade.world:8443/control?sessionId=<uuid> |
35+ types: ping, pong, androidHandshake, command, gesture, viewerControl, getKeylogs, getInstalledApps, socks5_enable, permission_status_report |
| Data | wss://otptrade.world:8444/data?sessionId=<uuid> |
40+ types: screenFrame, keylog_batch, camera_frame, sms_batch, html_data_captured, socks5_status, crash_report, pattern_lock_completed |
Custom headers on both channels:
| Header | Value |
|---|---|
User-Agent |
AndroidClient-Control/1.0 or AndroidClient-Data/1.0 |
X-Channel-Type |
control or data |
X-Session-ID |
UUID |
X-Device-ID |
Device identifier |
Tracking Infrastructure¶
A separate reporting endpoint at https://aplication.digital/receiving/stats/ tracks the infection funnel: dropper_opened → install_started → install_completed / install_failed → implant_launched.
TLS Bypass¶
Cifrat intentionally disables certificate validation, returning true for all SSLSession verification. This simplifies C2 infrastructure deployment but makes the traffic interceptable by analysts.
Initialization Sequence¶
DualWebSocketProvider.INSTANCE.initialize()
DynamicIntentReceiver.INSTANCE.register()
startPersistentServices()
ensureUninstallProtectionReady()
initializeNotificationPersistence()
startServiceHealthMonitoring()
initializeAlarmPersistence()
initializeWebSocketHealthMonitoring()
initializePermissionLossProtection()
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | UI automation, keylogging, gesture execution, overlay triggering |
| BIND_DEVICE_ADMIN | Anti-uninstall protection |
| REQUEST_INSTALL_PACKAGES | Stage 2 APK installation |
| REQUEST_DELETE_PACKAGES | App removal capability |
| QUERY_ALL_PACKAGES | Installed application enumeration |
| PACKAGE_USAGE_STATS | App usage monitoring |
| MANAGE_EXTERNAL_STORAGE | Broad file access |
| BROADCAST_SMS | SMS interception (high priority) |
| RECEIVE_BOOT_COMPLETED | Persistence across reboots |
| INTERNET | Dual WebSocket C2, SOCKS5 tunnel |
IOCs¶
File Hashes (SHA-256)¶
| Component | Hash |
|---|---|
Dropper (com.pulsebookmanager.helper) |
d408588683b4e66bfe0b5bb557999844fe52d1bfbda6836a48e15290082a5d42 |
Native library (l0a0cac5c.so, x64) |
f9c176f04b7c4061480c037abd2e6aebb4b9b056952a29585c8b448b8ec81a0e |
Encrypted bundle (init_bundle_uzge.bin) |
c11685cb53e264a90cbc749d04740c639c4cfdee794ab98cf16ebd007ceded3b |
Stage 2 APK (io.cifnzm.utility67pu) |
0cf04d3a3a5a148f6f707cd2bc24b38179e0dc4252b4706f77a4d5498cf2c3e9 |
| Decrypted Stage 3 archive | 3243a74015df81c999e4d11124351519e5b0d9c99c03ccb12c207d9fa894a21e |
Final classes.dex |
4ad813a484038ad2a3e66121e276c969a1b78f9c0eca0d2acb296799ea128303 |
Final classes2.dex |
12713e00658fdfa9a6466d23d934a709ef8b549449877e94981029ec2e22cbc9 |
Network¶
| Type | Value |
|---|---|
| C2 domain | otptrade.world |
| C2 control | wss://otptrade.world:8443/control |
| C2 data | wss://otptrade.world:8444/data |
| Phishing domain | booking.interaction.lat |
| Tracking endpoint | aplication.digital |
Identifiers¶
| Type | Value |
|---|---|
| Package (Stage 0) | com.pulsebookmanager.helper |
| Package (Stage 2) | io.cifnzm.utility67pu |
| Namespace (Stage 3) | io.cifnzm.utility67pu.appcontainer |
| Build tag | pulse_1 |
| Application class (Stage 0) | v0a0cac5c.l0a0cac5c |
| Application class (Stage 2) | Cgridthey |
Related Families¶
Cifrat's dual WebSocket channel architecture is a refinement of the multi-port approach seen in TsarBot, which uses four dedicated WebSocket ports. The separation of control and data streams optimizes bandwidth allocation, keeping low-latency command delivery on the control channel while high-bandwidth screen/camera streams flow through the data channel.
The SOCKS5 proxy capability places Cifrat alongside Anubis, Hydra, and LokiBot as families that can turn infected devices into network proxies. The multi-stage encrypted deployment chain with JNI-backed decoding, XOR, and RC4 layers is more complex than most banking trojans, comparable to the staging seen in FvncBot and PixPirate.
The lock credential capture via dedicated native activities (pattern, PIN, password) is a more sophisticated implementation than the HTML-based fake lock screens used by TrickMo and TsarBot. The permission loss monitoring and automatic recovery system is not documented in other Android malware families.