From Code to Clues: Leveraging LLMs to RAT out Android SpyMax
SpyMax, a.k.a. SpyNote, has been one of the most prevalent Android Remote Access Trojan (RAT) families since the initial strains seen in 2020, and has proven quite arduous to reverse engineer till date.
The difficulty is primarily due to challenging techniques employed by the threat actors like multistage dynamic deobfuscation and loading, and encrypted/G-Zip compressed network traffic with non-standard or custom protocols.
SpyMax has wide-ranging adversarial capabilities, viz. GPS tracking, ability to record and send videos to C2, extraction of Google Authenticator codes, simulation of user gestures, exfiltration of sensitive information. In short, it has the ability to take over complete control of the compromised device by abusing accessibility permissions.
Notably, we have seen a recent surge in the number of SpyMax infections in the Asian region, with prominence in India, following the source code leak of CypherRat (a variant of SpyMax) in 2022. Victims have had significant financial losses, typically in the range of ₹15,000-25,000 (US$ 170-280) per victim, but this is just the tip of an iceberg, based on incidents wherein we have first hand information. The total corpus of losses is likely huge given the prevalence and reach of this RAT.
Enter AI and LLMs, technologies that have been transforming reverse engineering and malware analysis. Employing AI-aided frameworks like LLM-MalDetect and Llama, with well-crafted, optimized prompt engineering, helped us decode SpyMax’s dynamic loading and encrypted network traffic techniques efficiently and effectively. These tools managed partial de-obfuscation of the Java class files, revealing certain aspects of the original code’s intent. Undoubtedly, the results proved far superior to the output from traditional Android reversing methods and tools.
In this talk, we will delve into SpyMax’s internal architecture, analysing its obfuscation mechanism, payload delivery strategies and C2 infrastructure, based on our deep analyses of two damaging, insidious real-world incidents involving malware distribution via Telegram and WhatsApp. Further, we intend to play Devil’s Advocate vis-a-vis the leveraging of LLMs for Android malware analysis, showcasing their efficacy in reversing difficult samples, yet highlighting some of the potential pitfalls to watch out for.
Baran Kumar S – K7 Computing Pvt Ltd
Baran Kumar S, a Senior Threat Researcher at K7 Labs, plays a crucial role in identifying, analyzing, and mitigating emerging cyber threats. With a Master’s degree in Computer Applications earned in 2002, Baran has over two decades of experience and expertise in the cybersecurity domain.
He began his professional journey as a Technical Support Engineer at K7, gaining valuable hands-on exposure to customer issues and real-world security challenges. Over the years, he transitioned into threat research, developing deep knowledge of malware analysis, reverse engineering, and threat intelligence across both Windows and Android platforms.
His work involves dissecting malicious software, understanding attacker techniques, and crafting detection strategies to protect users worldwide. Passionate about cybersecurity, Baran regularly shares his findings on the K7 Labs technical blog. His articles often explore the latest trends in mobile threats, offering readers valuable insights into emerging risks and best practices for digital safety.