Emergence of KomeX: A Sophisticated Android RAT Threatening Mobile Security
A newly identified Android Remote Access Trojan (RAT) named KomeX has recently surfaced on underground hacker forums, raising significant concerns within the cybersecurity community. Marketed by a threat actor known as Gendirector, KomeX is built upon the notorious BTMOB RAT codebase and offers an extensive suite of spying and device control features.
Sophisticated Capabilities
KomeX is engineered to compromise Android devices on a large scale, making it an attractive tool for cybercriminals aiming to monetize mobile infections. Its distribution methods primarily involve malicious Android applications disseminated through unofficial marketplaces and phishing campaigns. Unsuspecting users are often lured into installing these tampered applications or clicking on deceptive social engineering prompts.
What distinguishes KomeX is its aggressive strategy in acquiring device permissions immediately after installation, significantly enhancing its reach and persistence within the targeted system. Security analysts from KrakenLabs played a pivotal role in identifying and analyzing KomeX following its appearance on hacker forums. Their investigation revealed the trojan’s capability to bypass Google Play Protect, effectively removing a critical security layer from Android devices.
Notable features of KomeX include:
– High-resolution live screen streaming
– Stealthy audio and video recording via the device’s camera and microphone
– Immediate access to intercept and manipulate SMS messages
– Real-time geolocation tracking
– Remote control over major applications
– Comprehensive filesystem access integrated with a covert keylogger
The RAT is offered with various subscription options: short-term access, lifetime updates, or full source code for criminal organizations seeking customized modifications.
Infection Mechanism
From a technical standpoint, KomeX maximizes its control by automatically requesting and securing invasive permissions through its AndroidManifest.xml configuration:
“`xml
“`
Upon installation, KomeX exploits accessibility features to silently grant these permissions, enabling deep integration and persistent access. To resist removal, KomeX employs a deceptive uninstall module that simulates app deletion while secretly continuing operations in the background.
Its infection lifecycle encompasses initial delivery, privilege escalation, covert data exfiltration, and robust anti-removal tactics, reflecting a comprehensive and professional malware engineering approach.
