Overview
- ThreatFabric reports the malware enables full device takeover with credential-stealing overlays, SMS and 2FA interception, screen capture, and remote taps and swipes.
- Operators distribute the payload via SMS phishing that installs a dropper, prompts for Accessibility permissions, and uses opaque overlays to hide the permission-granting steps.
- A built-in humanizer inserts random 0.3–3 second delays between keystrokes to make remote input resemble real user typing and bypass timing-based behavioral checks.
- Observed infrastructure uses the domain google-firebase.digital with seven subdomains and MQTT-based control, suggesting multi-actor use and region-specific campaigns.
- The trojan is sold as MaaS by an actor known as K1R0, shows code overlaps with Brokewell, and remains under active development with recovered overlays for targets in the US, UK, Turkey, and Poland.