Glitch SPY admin login panel
At a glance
| Malware family | Glitch SPY (Android RAT and builder platform) |
| Threat actor | Unattributed; operator unidentified |
| Targets | People seeking rental properties in Poland; Polish speakers |
| Delivery | Fake Polish rental website pushing an APK via the Brokewell loader |
| Key capabilities | Screen streaming, keylogging, SMS and contact theft, crypto-clipper, remote browser, remote control |
| Source | Cyble Research and Intelligence Labs |
TL;DR
Cyble uncovered a new Android RAT called Glitch SPY. It reaches victims through a fake Polish apartment rental website that pushes an APK. Once installed, the Glitch SPY Android RAT abuses the Accessibility Service to take near-total control of the phone.
Who Runs It
Cyble has not tied Glitch SPY to a named group. So the attribution stays open for now. The evidence points to early-stage activity, with one recovered APK and two admin panels. Its Polish-language lure points to a Poland-focused campaign. The Brokewell loader used for delivery traces to a known malware developer.
Delivery
Glitch SPY hides behind a fake rental platform aimed at Poland. It advertises verified apartments, viewings, and broker-free deals. Then it pushes visitors to install an app for bookings. That request alone should raise a flag. Real rental apps live on Google Play, not on a listings site.
The download is not the spyware itself. It is the Brokewell Android Loader, a known dropper Cyble first documented in 2024. The loader shows a fake update screen. Next, it asks the user to allow installs from unknown sources. Once the user agrees, it drops the Glitch SPY payload. After launch, the app shows the rental site as a decoy while the real code runs in the background.
Infection Chain
After install, Glitch SPY requests the Android Accessibility Service. This one approval unlocks its power. The malware then auto-grants other permissions and drives the screen. It can read text, tap buttons, enter input, and unlock the device.
The good news sits in that first prompt. As Cyble notes, denying the “unknown sources” request “stops the payload before it installs.” So a single careful choice ends the attack.
Command And Control And Data Theft
Glitch SPY holds a persistent WebSocket link to its server. It registers each phone as an “agent” and waits for orders. The implant keeps a heartbeat alive to stay reachable. The platform supports more than 70 commands. These cover live screen streaming, screenshots, and screen-reader capture. They also include SMS, contacts, call logs, and location theft. Keylogging, camera and microphone capture, and shell access complete the toolkit.
Money-focused features
Two features target finances directly. A crypto-clipper watches the clipboard for wallet addresses. It swaps them for attacker-owned addresses across Ethereum, TRON, and Bitcoin formats. The change stays within the same coin family, so it looks plausible.
A hidden remote browser adds account-takeover power. It loads pages in an off-screen window on the victim’s phone. As Cyble puts it, “the attacker’s web activity originates from the victim’s IP.” So the victim’s own cookies and sessions carry the fraud. That makes bank and crypto checks far less likely to flag it.
A Reusable Platform
Glitch SPY is a builder kit, not a single sample. Operators set a custom app name, icon, package ID, and decoy URL. As Cyble notes, “retargeting for a new region or lure requires no code changes.” The exposed panel also shows Agents, Viewer, Builder, and Dropper modules. A Cryptor module sits marked “Coming soon.”
How To Stay Protected
Avoid installing APKs from outside official stores. The loader’s first move is the “unknown sources” request, so deny it. Treat any app that demands Accessibility access as suspicious. Also keep Google Play Protect switched on. Review app permissions often, and remove apps you do not recognize.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.