TaxiSpy RAT: New Android Banking Trojan Targets Russian Financial Sector

A highly sophisticated Android Banking Trojan has emerged, combining traditional financial theft with advanced Remote Access Trojan (RAT) capabilities. A detailed analysis from Cyfirma reveals a threat specifically engineered to compromise Russian users through a lethal mix of stealth, persistence, and real-time device control.

Operating under the guise of legitimate services—with some versions using the “RuTaxi” identifier—the malware is designed to maximize effectiveness against a specific demographic while minimizing exposure in other regions.

Unlike simpler banking malware, this Trojan offers threat actors a “VNC-like” window into the victim’s digital life. By abusing the Accessibility and MediaProjection APIs, the malware implements real-time screen streaming via WebSockets.

This allows attackers to:

• Capture Lock Screen PINs: The malware monitors the system lock screen to “intercept the PIN as it is entered,” saving the stolen credentials locally with timestamps.
• Exfiltrate Keystrokes: Captured data is formatted into structured JSON payloads that include the “source application, logged text, event type, and timestamp”.
• Intercept OTPs: By requesting to be the default SMS app, the Trojan gains “full control over SMS functionality, enabling it to read incoming messages… access OTPs, suppress notifications, and silently delete messages”.

The malware’s authors have gone to great lengths to evade static analysis and traditional antivirus tools. Most of the critical logic is shifted away from easily analyzable Java code into a native library named sysruntime.so.

The analysis notes that “important data, such as the bot ID, server list, and WebView link, is hidden inside this native file instead of the normal app code”. To further complicate recovery, the C2 server address (identified as 193.233.112.229) and Firebase credentials are reconstructed only at runtime using “rolling XOR string obfuscation” and “non-linear memory access patterns”.

Once installed, the Trojan is notoriously difficult to remove. Its multi-layered persistence architecture ensures it “remains active under nearly all conditions—reboot, network loss, device idle state, or user attempts to stop it”.

Key persistence tactics identified include:

• Boot Auto-Start: Automatically launches before the user even unlocks the phone after a reboot.
• Accessibility Abuse: Uses elevated privileges to regain control and prevent the app’s removal.
• Battery Optimization Bypass: Specifically requests exemptions to avoid being suspended by the Android system.
• Firebase Push Commands: Leverages push messaging to wake the malware on demand and receive remote commands.

The malware maintains an extensive “app-targeting logic” that specifically scans for installed banking apps, marketplaces, government portals, and cryptocurrency wallets popular in Russia. Cyfirma’s researchers successfully decoded the obfuscated target list, which includes major institutions like Sberbank, Tinkoff, VTB, and Alfa-Bank, as well as platforms like Binance and Metamask.

This strategically focused design, combined with automated distribution via RAT kits, makes the RuTaxi Trojan a significant and evolving risk to the Russian financial ecosystem.