DocSwap Malware Masquerades as Security Document Viewer to Target Android Users Globally – Active IOCs - Rewterz

DocSwap Malware Masquerades as Security Document Viewer to Target Android Users Globally – Active IOCs

2025-03-19 • Rewterz •

https://rewterz.com/threat-advisory/docswap-malware-masquerades-as-security-document-viewer-to-target-android-users-globally-active-iocs

#Mobile #DocSwap

Thumbnail for DocSwap Malware Masquerades as Security Document Viewer to Target Android Users Globally – Active IOCs

The malware uses a custom protocol designed to mimic HTTPS traffic, adding another layer of stealth. Organizations should also educate users on social engineering tactics and implement strict security policies to prevent such malware infections. Once installed, the malware requests excessive permissions, including access to contacts, storage, and SMS, allowing it to exfiltrate sensitive data. Its core functionality relies on a native library that exfiltrates device information, contact lists, and SMS messages to a command-and-control (C2) server using an encrypted communication protocol.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	643ecf86671b5f9fd5793a9316b013b…	2025-03-19	2025-03-19
HASH	3ccfe58b8e0b5ca96cac4e9394567515	2025-03-19	2025-03-19
HASH	bf134495142d704f9009a7d325fb954…	2025-03-13	2025-03-19

Related Reports

2025-03-13 • 73% Match

Detailed Analysis of DocSwap Malware Disguised as Security Document Viewer

S2W

#Mobile #DocSwap #puNK-004 #T1541 #T1636.004 #T1406 #T1636.003 #T1426 #T1429 #T1420 #T1532 #T1636.002 #T1646 #T1417.001 #T1398 #T1512 #T1616 #T1655.001 #T1418

Shares tags: Mobile, DocSwap • Shares 1 IOC • Published within a week

2025-12-16 • 40% Match