Kevdroid Remote Access Trojan

Kevdroid is an Android based remote access trojan (RAT) that is delivered via fake anti-virus applications that the user downloads from third-party websites.

Kevdroid uses the known exploit CVE-2015-3636 which can allow actors to gain root permissions and compromise the device. When compromised Kevdroid aims to steal data such as phone call recordings, contacts, photos and current location data.

Attackers could also blackmail victims using images or information deemed secret, could steal credentials and multi-factor tokens (SMS MFA), and could also engage in banking/financial fraud using their access to privileged information. Should the infected device be used in corporate environments, a KevDroid attack could lead to cyber espionage.

Indicators of compromise

SHA-256 Hashes

  • f33aedfe5ebc918f5489e1f8a9fe19b160f112726e7ac2687e429695723bca6a
  • c015292aab1d41acd0674c98cd8e91379c1a645c31da24f8d017722d9b942235

C2 Server

  • hxxp://cgalim[.]com/admin/hr/pu/pu.php


  • hxxp://cgalim[.]com/admin/hr/1.apk

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: