This dangerous new malware also has ransomware capabilities

Samsung Galaxy S23 hands on display macro
(Image credit: Future | Alex Walker-Todd)

A new Android malware variant has been found that’s capable of hiding from antivirus programs, stealing sensitive data, and even deploying ransomware on the infected endpoints. 

Cybersecurity experts from CloudSEK’s Threat Intelligence Research Team discovered the malware, which they dubbed “Daam”. 

The malware was communicating with “various Android APK files”, the researchers said, suggesting that this was a “likely source of infection”.

Recording calls

Once deployed on a device, the malware will first try to circumvent security checks on a range of mobile brands. If it successfully manages to hide from antivirus programs, it will try to get highly sensitive permissions, such as the ability to record audio, read history bookmarks, kill background processes, and read call logs. 

The malware is also able to record all ongoing calls, both cellular and VoIP ones, and later transmit them to the command & control (C2) server. Daam is also capable of stealing contacts from the victim's device, as well as pilfering newly added contacts, as well.

In other words, even your WhatsApp calls wouldn’t be safe from eavesdropping, and the files you store on your mobile device could be stolen. 

To make matters worse, the malware was also observed to have ransomware capabilities. The researchers are saying Daam is able to encrypt the files on the device using AES algorithms present in the root directory and SD card. It also drops a “readme_now.txt” file - most likely a ransom note. 

After the encryption, all other files are deleted from local storage, leaving only the encrypted files with a .enc extension on the device.

The malware is being distributed through third-party websites, the researcher said, finding a total of three apps being circulated: Psiphon Client for Android and Windows - a circumvention software for Windows and Android that bypasses paywalls and other censored content; Boulders - a mobile game; and Currency Pro - a currency converter.

As usual, to stay safe, make sure to download apps only from legitimate sources, and to check reviews and user comments before downloading anything.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.