An emerging and highly aggressive Android Remote Access Trojan (RAT) called Glitch SPY has been reported by Cyble. Distributed through a sophisticated social engineering campaign, the malware uses a fraudulent Polish housing and apartment rental platform to lure unsuspecting users into downloading a malicious Android APK.
The initial application serves as a dropper—identified as the Brokewell Android Loader—which installs the final Glitch SPY payload. Once on the device, the malware relies heavily on the abuse of the Android Accessibility Service to gain absolute control over the victim's operating system.
Glitch SPY is not a standard information stealer; it is a full-scale surveillance and remote-control platform. Analysis of an exposed command-and-control (C&C) administrative panel indicates the presence of a modular architecture featuring an integrated Builder, Cryptor, and Loader system. This allows threat actors to easily customize app names, package IDs, icons, and decoy WebView URLs for rapid redistribution across different regional campaigns.
Once a victim activates the requested Accessibility permissions, Glitch SPY establishes a persistent WebSocket connection to its C&C server and unlocks over 70 distinct commands, including:
Zimperium clients are fully protected against this threat. The detection engine behind Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) detects both the Brokewell dropper and the Glitch SPY payloads out-of-the-box via our advanced on device dynamic detections, requiring no updates to maintain comprehensive coverage. Zimperium protection works at multiple layers of the attack chain:
Zimperium remains at the forefront of defending mobile ecosystems against complex, multi-faceted threats like Glitch SPY by combining proactive threat hunting, real-time behavioral ML detection, and continuous updates to IOC coverage.