Recent research published by CYFIRMA highlights TaxiSpy RAT, an Android malware campaign targeting banking users while providing attackers with extensive remote-control capabilities over infected devices. The malware combines traditional banking trojan functionality with full RAT capabilities, enabling threat actors to intercept SMS messages and OTPs, monitor financial applications, capture sensitive user input, and execute commands remotely on compromised devices.
TaxiSpy abuses several high-risk Android features to maintain control and persistence. It attempts to become the device’s default SMS handler to intercept incoming messages, leverages Accessibility Services to monitor user interactions and automate actions, and communicates with attacker-controlled infrastructure to receive commands and exfiltrate stolen data. These capabilities enable attackers to perform credential harvesting, financial fraud, and device surveillance at scale.
While the original report documented several TaxiSpy samples and indicators of compromise, zLabs analysis uncovered 60 additional TaxiSpy samples beyond those initially reported, indicating active repackaging and variant generation by the operators. This behavior is consistent with modern Android malware campaigns, where attackers continuously release new builds in an effort to evade signature-based detection and blacklist defenses.
Despite these evolving variants, Zimperium customers remain fully protected. Both Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) detect TaxiSpy activity through Zimperium’s on-device dynamic detection engine in a zero-day fashion, allowing the detection even as attackers modify packaging techniques or generate new samples.
Although current activity appears focused on banking users, threats like TaxiSpy pose a broader risk to organizations whose employees rely on mobile devices to access corporate services. Malware capable of intercepting SMS messages, harvesting credentials, and remotely controlling devices can enable account takeover, bypass multi-factor authentication mechanisms, and provide attackers with persistent access to sensitive enterprise applications and data.
As Android malware increasingly evolves toward full remote-access spyware capabilities, organizations must rely on security solutions capable of detecting malicious behavior directly on the device. Behavioral detection and runtime protection remain critical controls to prevent compromised mobile devices from becoming entry points into enterprise environments.
The full list of IOCs can be found in this Github repository.