In depth analysis of Darkshades. A RAT infecting Android devices

Avira Protection Labs, 2 weeks ago 9 min read

‘Darkshades’ is a RAT (Remote Access Trojan) that targets Android devices. It enables criminals to steal contacts, track location accurately, exfiltrate live SMS/MMS, grab card credential, capture screenshot, encrypt files and initiate DDOS attacks.

Compared to other RAT families that are spread through Google Play apps, or third-party tools, the infection vector of this family of RATs does not have a stable infection strategy. Consequently, despite extensive functionality, Darkshades has kept a low profile: On Twitter it has been mentioned twice since 2017, and by the end of 2019 only two samples had been identified in the wild. Despite this, Avira found a sample in March 2020.

In this blog, Bogdan Anghelache, threat researcher of the Android Detection Team at Avira, takes a deep dive into recent Darkshades samples and analyzes how they infect Android devices.


The Darkshades samples were successfully run on all major versions of Android (including version 5 to 10). The samples behave differently depending on the version of Android:

  • on Android 10, 9 and 8 – the samples don’t have a specific icon, just the Android default one
  • on Android 7, 6 and 5 – the samples have specific icons, representing their title (for example, the ones that impersonate the calculator app have the iPhone calculator app icon)
  • on Android 10 – the accessibility feature is not triggered every time
  • on Android 7 – the app icon is deleted from the application menu view

Figure 1: left: no icon is present on Android 10; middle & right: the iOS calculator and “Privacy Guard” icons are present on Android 6


Behavior and C&C communication

After the application is installed, it appears under one of these names: “Privacy Guard”, “Calculator” or “System Update”.

The application doesn’t have a specific icon, just the default Android one. When opened, the application asks for a host of dangerous permissions:

  • Access to contacts
  • Making and managing phone calls
  • Take pictures and record video
  • Access to the filesystem and location
  • Record audio
  • Send and view SMS messages

These permission requests should raise a red flag for the user. The application doesn’t have any user interface or functionality to justify the need for those permissions.

After the permissions are granted, the application begins communicating with its Command and Control server (C&C). First it uploads to the [path]/receive_all.php endpoint the call logs and SMS data of the user.

Figure 2: the initial object sent is empty, because I used a clean emulator image

Then, it continuously uploads sensitive information on the server about the device: IP address and GPS location:

Endpoint: [path]/DS_info.php

Figure 3: the object sent containing the timestamp, mail, bot ID (name), IP and manufacturer

Endpoint: [path]/post_gps.php

Figure 4: the object sent with the location of the user (the one above is the default emulator location)

After each received SMS, the application will make a POST request to the [path]/receive_all.php endpoint and upload the call log and SMS data of the user:

Figure 5: the call logs and SMS data of the user are sent to the server

If accessibility access is granted, the application will send to the [path]/uploads/device_keystrokes.php endpoint every key pressed by the user when a text box is edited (including a browser search bar, text messages, notes etc)

Figure 6: the keys pressed by the user are sent to the server; above is the final result

Anti-Virus checks and card credential grabbing

After the first “run” of the data exfiltration services (contacts, text messages, keystrokes), the malware starts an interesting service called com.cosmos.darkshades.Anti.AntiService which has two main responsibilities:

  1. ensures that certain services are running, which are:
    1. cosmos.darkshades.Data.TriggerService
    2. cosmos.darkshades.Main.ServiceController
    3. cosmos.darkshades.Main.ConnectivityService
    4. cosmos.darkshades.Main.MyService
  2. runs a TimerTask every 10 milliseconds, which we’ll analyse in detail below

Analysis of the above services

Looking into those services, we found that TriggerService and MyService have the role to make sure that the other, more important services (AntiService, ConnectivityService and ServiceController) are always running.

ConnectivityService checks for internet access (the authors left behind some funny log messages like Log.d(“nOOooOo”, “internet”) when there is no internet access ), uploads to post_gps.php the live GPS coordinates of the device and starts TriggerService and ServiceController. Because of this recurrent service starting, it is safe to assume that the authors took great care that these four services always remain running.

ServiceController is more complex than that; as usual it checks for an internet connection but after that it creates nine directories and one file, which can be used as IOCs. After the creation of the directories and the file, it POSTs to DS_info.php the data which can be seen in Figure 2, and awaits commands from the C&C server (we will detail some of the commands later in this article).

Figure 7: the directories and file created by the malware

Analysis of the TimerTask

In broad terms, the second responsibility of the AntiService is to start the activity responsible for stealing the card credentials, com.cosmos.darkshades.Main.Ccg (most likely Ccg stands for Card credentials grabber).

In more detail, this service does a few other things: it makes sure that ServiceController is running and acts based on the content of two files, found on the external storage:

  • Android/data/com.antiguard.cosmos/Anti.txt
  • Android/data/com.antiguard.cosmos/injects.txt

The first file, Anti.txt, contains values separated by commas. The values come as a command from the server “AntiG[value]”.

Anti-Virus checks

Two lists of string values are present in the AntiService, with hardcoded values:

  • the first one represents a list of android package names associated with anti-virus products, including “”, “”, “”, “”, “”, “com.trendmicro.freetmms.gmobi”, “com.trendmicro.tmmspersonal.apac” and a few others
  • the second one contains computer security related keywords like “security”, “antivirus”, “cleaner”, “mobilesecurity”, “malware”, “protect”. An interesting finding is that on the list are present these keywords “trendmicro” and “symantec”

Besides starting the card credentials grabber activity, the TimerTask gets the package name of the last used application and uses that value in three checks:

  • if the package name is present in the anti-virus vendors list
  • if the package name contains any of the keywords above
  • if the package name is found in the injects.txt file

When at least one of the conditions above is true, the wifi settings screen will pop up, while the home screen will be replaced with the application’s main activity.

The content of second file, injects.txt, is also used as a trigger for certain operations and, if it contains this command “,Ccg”, the card credentials grabber activity is started.

Looking at the Ccg activity

This one is simple: a fake “Playstore Wallet” activity is shown to the user. The user is tricked into filling in the credentials of the credit card which are stored in a text file found in the external storage: Android/data/com.antiguard.cosmos/[Bot_ID]_CC.txt.

Figure 8: the Ccg activity initialization function: the content and title are set so that everything looks legit

Figure 9: the function above stores the credentials in a string builder and calls the “a” function with the details

Figure 10: this is the “a” function mentioned above: the card credentials are store in the “_CC.txt” text file

Figure 11: the background task that uploads the file to the server, along with unique details about the device

Analysis of the C&C commands

The malware has a big set of commands – 48 in total – which are hardcoded in an array. Below, we will analyze the most interesting.

NOTE: c.d ([string]) runs the command given, as super user

1. delpin:

This command removes the PIN, password or pattern (if one of them is set) that protects the device from physical breach, when the screen is locked.

Figure 12: the PIN/password/pattern is removed by running the commands above (with root privileges)

2. sapp:

Verifies if the app has root permissions. If true, moves the application (com.cosmos.darkshades) into the /system/app/Cosmos directory, gives it root permissions and deletes the app from the usual /data/app directory, thus making it harder to remove for the non-technical users.

Figure 13: the app is moved to “/system/app/Cosmos” and is being given root privileges; also the original app is deleted

3. OAUD:

Starts the audio recording process.

4. Zipit:

Zips all the content of the /Android/data/Nebula directory, which contains the text files with the information gathered until that point.

Figure 14: the function responsible for the zip, found after a few hops; the information is zipped and saved in an archive with the bot ID and the name in its name

5. Groot:

This command gives the app superuser (root) access, which is equivalent to having complete control over the device.

6. Gwapp:

After looking at the function below, we concluded that this variant has a functionality that is related to WhatsApp, although we didn’t find anything implemented.

Figure 15: the “Nebula” directory is again zipped, but this time the zip has “WhatsApp” in its name

7. notif:

This command starts a notification process on the user’s phone with the text given from the command and control center, along with lights and vibrations. Most likely this is a feature to scare the victim or bombard him/her with ads.

8. Ewii/Dwii and Eblue/Dblue:

Enables or disables the Wifi and/or bluetooth. Enabling bluetooth leaves the device vulnerable to bluetooth based attack such as BlueFrag.

9. 3ncrypt/d3crypt:

First, we will talk about the encryption process: the app creates the Meteoroid directory in the external storage and then encrypts the file found at the path sent along with the command using the AES cypher and key found in the command.

The encrypted file will be found in the Meteoroid directory and will have this name: Dark_Shades_Encrypted_[random_number].

The command most likely looks something like this 3ncrypts, [path_to_file], [key]. We make this assumption because the command received from the server is split into three parts, as seen below:

Figure 16: the function that creates the “Meteoroid” directory and splits the command.; below is the a(new File(str3), split[2]) function

Figure 17: the encryption function


After a file has been encrypted, a new file called  _NEW_Encrypted_File_Name_ [same_random_number] will appear in the Meteoroid folder, with the following content:

“Dark Shades  has encrypted a file.

File location & Name : ” [location_of_the_file] ”

Ending number with extension is the encrypted file (Eg: 4545.txt must be used to decrypt the file and not the entire file name).

Please use the exact file name & Password to decrypt this file.”);”

This makes the user think that the password has been kept in some file, but it’s not true, because the encryption/decryption key (being a symmetric cipher, AES uses the same key for encryption and decryption) is not kept anywhere in the filesystem. The decryption process is the same as the encryption process: the [random_number] that is found in the name of the encrypted file Dark_Shades_Encrypted_[random_number] is received in the d3crypt command, along with the decryption key. After being decrypted, the filename will be found in the Meteoroid directory having this name: [random_number].[original_extension].

10. 3nAll/D3All:

These commands apply the above-mentioned encryption process to most of the files found in the external storage, based on their extension. All types of office documents (doc, DOC, docx, DOCX, TXT, txt, ppt, xls etc) are targeted, along with .mp3, .mp4, .wav, .jpg, .png, .C, .JAVA and many more types.

11. Tsms/Rcall/delcon/DelCal/gctcts:

These commands all relate to telephone operations and their usage is as follows:

  • Tsms: sends an SMS to the number and with the content present in the command
  • Rcall: makes a call to the number found in the command
  • delcon: deletes all the contacts in the contacts list
  • DelCal: deletes the call logs
  • gctcts: fetches all the contacts from the contacts list and saves them in a .vcf file found in /Android/data/Nebula/Contacts
12. Tshot:

Captures the screen using the screencap command and saves it in the/Android/data/nebula/Pictures directory.

Figure 18: the screen capturing function

13. terminal:

Returns a shell handle to be used for future commands.

14. CRED:

This command is the trigger for starting the Card credentials grabbing procedure.

15. DDOS:

This command initiates a Distributed Denial of Service (DDOS). The target and the duration of the attack are found in the command.

Figure 19: the command (str) is being split and, in the for loop, the attack (the b(str2), where str2 is, most likely, the target) is being started)


Below is the class responsible for the DDOS attack. The value of “User-Agent” property can be used in the firewall to potentially block this kind of attack: “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0”

Figure 20: the class responsible for the DDOS attack

16. RATC:

The last noteworthy command is the one which creates a reverse shell to the attacker, thus allowing him complete control over the device.

Figure 21: the function which initializes the reverse connection

Figure 22: a snippet of code from the class that makes the reverse connection


We conclude that only two Darkshades variants exist. The one with the card credentials grabbing “feature” and the other without it. The code misses some implementation functions such as the WhatsApp functionality. The fact that this family has been active at the end of 2019 and the beginning of 2020, suggests we can be confident that this is a new family which will continue to make its appearance in the wild. We also expect some more variants with space related names such as: “Nebula”, “Meteoroid” and “com.cosmos.darkshades”.

We recommend users to be always careful about the source of the app they are installing. Additionally, pay great attention to the permissions that apps are requesting, and always use an anti-malware solution to protect their devices.

Indicators of Compromise (IoCs)

Hashes (Avira detection name: ANDROID/SpyAgent.FOTY.Gen)


URLs (at the time of writing, all are down)




Directories created
/sdcard /Android/data/Nebula/
/sdcard /Android/data/Nebula/Screenshots/
/sdcard /Android/data/Nebula/Pictures/
/sdcard /Android/data/Nebula/Audio/
/sdcard /Android/data/Nebula/Contacts/
/sdcard /Android/data/Nebula/KeyStrokes/
/sdcard /Android/data/Nebula/Files/
/sdcard /Android/data/Nebula/Passwords/
/sytem/app/Cosmos (at command)
/sdcard /Meteoroid (at command)
Files created
[externalStorage]/Meteoroid/Dark_Shades_Encrypted_[random_number] (at command)

MITRE ATT&CK techniques

Tactic ID Name Description

Initial Access

T1476 Deliver Malicious App via Other Means The app doesn’t impersonates a legitimate app nor is it distributed via an authorized app store



T1426 System Information Discovery The app uniquely identifies the device via information from android.os.Build class
T1422 System Network Configuration Discovery Gathers telephony information such as IMEI and phone number through the android.telephony.TelephonyManager class








T1433 Access Call Log Gathers call log data after an SMS is received
T1432 Access Contact List The app gathers the contact list and has the ability to also write to it
T1429 Capture Audio Can collect audio recorded by the microphone if given the android.permission.RECORD_AUDIO permission
T1512 Capture Camera Can take pictures and videos if given the android.permission.CAMERA permission
T1412 Capture SMS Messages The app captures the SMS inbox after an SMS is received
T1430 Location Tracking The app tracks the device’s physical location through use of standard operating system APIs
T1513 Screen Capture Captures screenshots using the screen-cap


Exfiltration T1437 Standard Application Layer Protocol Sends all the information captured from the

device using HTTP or HTTPS

Commands & Control T1437 Standard Application Layer Protocol Gets a JSON object from the server,

containing the command, besides other



Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
In depth analysis of Darkshades. A RAT infecting Android devices

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like

Expert Perspectives

Vulnerability update – May 2020

Vulnerability update – May 2020

In this report we will take a look at some of the more interesting vulnerabilities of early 2020.

2 months ago 3 min read