DroidJack
DroidJack is an Android remote access trojan (RAT), also known as SandroRAT, that can provide an attacker with near-complete control of an infected phone. Reported capabilities include capturing SMS data, capturing call data, browsing files, stealing contacts, tracking device location, activating the camera and microphone remotely, and capturing video using device cameras. The malware has been observed embedded in trojanized Android APKs, including a malicious Pokemon GO APK uploaded in July 2016 and an Android APK masquerading as an Adobe Flash Player update used in a campaign targeting Syrian opposition members. In the Pokemon GO case documented by Proofpoint, the infected APK preserved the legitimate app’s startup screen, added malicious classes, and was configured to communicate with the command-and-control domain pokemon.no-ip.org over TCP and UDP port 1337; at the time of analysis, that domain resolved to 88.233.178.130 in Turkey. Proofpoint identified the malicious APK with SHA256 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4 and MD5 d350cc8222792097317608ea95b283a8. DroidJack was also identified in the Group5 operation targeting Syrian opposition figures, where it was delivered via the watering-hole site assadcrimes[.]info as adobe_flash_player.apk (MD5 8EBEB3F91CDA8E985A9C61BEB8CDDE9D) and configured to use command-and-control host 88.198.222[.]163. The Group5 reporting assessed, with moderate confidence, an Iranian nexus for that broader campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"The APK is an instance of DroidJack. According to Symantec, this malware evolved from an older codebase known as SandroRAT."
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Collection
2 techniques
Collection
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android RAT masquerading as an Adobe Flash Player update APK; hides its icon, persists via boot receiver, and enables extensive device surveillance (SMS/calls/contacts/files/location, remote camera/mic; some features require root). Configured to use 88.198.222[.]163 for C2.
Android malware that can capture video through device cameras.
Android malware that captures SMS data.
Remote access trojan that captures call data.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.