Kevdroid is an Android based remote access trojan (RAT) that is delivered via fake anti-virus applications that the user downloads from third-party websites.
Kevdroid uses the known exploit CVE-2015-3636 which can allow actors to gain root permissions and compromise the device. When compromised Kevdroid aims to steal data such as phone call recordings, contacts, photos and current location data.
Attackers could also blackmail victims using images or information deemed secret, could steal credentials and multi-factor tokens (SMS MFA), and could also engage in banking/financial fraud using their access to privileged information. Should the infected device be used in corporate environments, a KevDroid attack could lead to cyber espionage.
Indicators of compromise