Rapid Response: Zimperium Delivers Immediate Coverage for Emerging Glitch SPY RAT Campaign
An emerging and highly aggressive Android Remote Access Trojan (RAT) called Glitch SPY has been reported by Cyble. Distributed through a sophisticated social engineering campaign, the malware uses a fraudulent Polish housing and apartment rental platform to lure unsuspecting users into downloading a malicious Android APK.
The initial application serves as a dropper—identified as the Brokewell Android Loader—which installs the final Glitch SPY payload. Once on the device, the malware relies heavily on the abuse of the Android Accessibility Service to gain absolute control over the victim's operating system.
Inside Glitch SPY: Technical Capabilities
Glitch SPY is not a standard information stealer; it is a full-scale surveillance and remote-control platform. Analysis of an exposed command-and-control (C&C) administrative panel indicates the presence of a modular architecture featuring an integrated Builder, Cryptor, and Loader system. This allows threat actors to easily customize app names, package IDs, icons, and decoy WebView URLs for rapid redistribution across different regional campaigns.
Once a victim activates the requested Accessibility permissions, Glitch SPY establishes a persistent WebSocket connection to its C&C server and unlocks over 70 distinct commands, including:
- Abuse of Accessibility Services: Automates the granting of system permissions, intercepts multi-factor authentication (MFA) codes, extracts visible on-screen text, and disables security interfaces without user intervention.
- Live Stream & Remote UI Execution: Supports real-time device screen streaming, arbitrary UI clicks, remote gestures, and a silent remote-browser capability. This allows attackers to perform account takeovers (ATO) directly from the victim's own device and residential IP address, bypassing traditional banking anti-fraud systems.
- Advanced Financial and Data Theft: Features a built-in crypto-clipper that monitors the system clipboard and dynamically swaps cryptocurrency wallet addresses (supporting Bitcoin, Ethereum/EVM, and TRON formats) with attacker-controlled destinations. It also supports file system encryption/decryption, keylogging, and standard data harvesting (SMS, call logs, contacts, and live location).
Zimperium Coverage and Protection
Zimperium clients are fully protected against this threat. The detection engine behind Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) detects both the Brokewell dropper and the Glitch SPY payloads out-of-the-box via our advanced on device dynamic detections, requiring no updates to maintain comprehensive coverage. Zimperium protection works at multiple layers of the attack chain:
- Malicious App Detection (MTD and zDefend)
- Sideloaded App Detection (MTD and zDefend)
- Malicious Traffic Detection (MTD)
- Accessibility Active (zDefend)
- Sideloaded App with Accessibility Active (zDefend)
Zimperium remains at the forefront of defending mobile ecosystems against complex, multi-faceted threats like Glitch SPY by combining proactive threat hunting, real-time behavioral ML detection, and continuous updates to IOC coverage.