Whitepapers
On this page, I will post whitepapers, references of each work or blogpost where I was personally involved. The goal of this page is to share additional information that I wasn’t capable of directly posting on the main page for any reason (e.g., conferences slide, working activities, etc… ).
PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT
PlayPraetor is a modern Android RAT. Its core functionality relies on abusing Android's Accessibility Services to gain extensive, real-time control over a compromised device. This allows an operator to perform fraudulent actions directly on the victim's device.
SuperCard X: exposing a Chinese-speaker MaaS for NFC Relay fraud operation
This article delves into a particularly active fraud campaign targeting Italy, which we assess to be associated with a previously undocumented Android malware offered through a Malware-as-a-Service (MaaS) model promoted as 'SuperCard X'.
DroidBot: Insights from a new Turkish MaaS fraud operation
DroidBot is an advanced Android Remote Access Trojan (RAT) that combines classic hidden VNC and overlay capabilities with features often associated with spyware. It includes a keylogger and monitoring routines that enable the interception of user interactions, making it a powerful tool for surveillance and credential theft.
ToxicPanda: a new banking trojan from Asia hit Europe and LATAM
ToxicPanda belongs to the modern RAT generation of mobile malware, as its Remote Access capabilities allow Threat Actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the On Device Fraud (ODF) technique
A new TrickMo saga: from banking trojan to victim's data leak
BTrickMo has a well-documented history of targeting Android devices. It emerged as part of TrickBot’s evolution, enabling TAs (Threat Actors) to expand the infection to the Android environment. The introduced anti-analysis mechanisms, which consist of a combination of different techniques known as malformed ZIP, JSONPacker, and dropper apps, highlight the malware's ever-evolving nature.
BingoMod: The new android RAT that steals money and wipes data
BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow Threat Actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the On Device Fraud (ODF) technique
Operation drIBAN: Insight from Modern Banking Frauds Behind Ramnit
Investigation of a persistent fraud operation targeting Italian corporate banking clients, revealing the drIBAN web-inject kit and its sophisticated infection chain consolidated by threat actors.
Nexus: A New Android Botnet?
Analysis of the Nexus Android banking botnet promoted on underground forums in early 2023, exploring its history, target countries, main features, and control panel architecture.
PixPirate: A New Brazilian Banking Trojan
Research on PixPirate, a next-generation Android banking trojan capable of Automatic Transfer System (ATS) attacks on Brazil's Pix instant payment platform.
The Android Malware's Journey: From Google Play to Banking Fraud
Investigation into the evolution of Android banking trojan distribution techniques, focusing on dropper applications used to bypass official app store security measures.
BRATA is Evolving into an Advanced Persistent Threat
Analysis of BRATA's evolution into a targeted APT, examining threat actors' strategic approach of focusing on specific financial institutions and adapting to countermeasures.