high🎣Phishing

publishedMarch 12, 2026

SpyAgent Trojan Impersonates Brazilian Loyalty App With Chinese-Signed Dropper

A multi-layer Android dropper targeting Clube Leveros users deploys full-device surveillance with a signing certificate traced to Nanjing, China

Threat Actors:ProfileAssessment

#SpyAgent#Android#Banking Trojan#Brazil#Dropper#Cryptocurrency#Mobile Malware#China

TL;DR

A trojanized APK masquerading as "Clube Leveros" -- a legitimate Brazilian loyalty and rewards app -- was submitted to MalwareBazaar on March 12, 2026. Static analysis reveals it is a SpyAgent variant built as a multi-layer dropper: the 7.7MB parent APK conceals a 4.4MB child payload packed with five DEX files, encrypted configuration blobs, and an aggressive anti-analysis toolkit that breaks most standard extraction tools. Both the parent and child APK share an identical code-signing certificate issued in Nanjing, Jiangsu Province, China, in April 2021 -- placing the development infrastructure's origin in China with high confidence and establishing a five-year operational window. The malware requests Accessibility Service permissions to achieve full device surveillance: screen capture, gesture injection, keylogging, SMS interception, contact theft, camera access, and WebView overlay attacks for banking credential phishing. This sample is part of a 13-sample SpyAgent campaign tracked since June 2025, spanning India, South Korea, and now Brazil, impersonating banks, government services, and social platforms.

The Lure: A Fake Loyalty App

Clube Leveros is a real Brazilian loyalty program with a legitimate presence on Google Play (space.clubeleveros.app). The threat actors cloned its branding into a weaponized APK named Leveros_Club.apk and distributed it via web download -- likely through SMS phishing (smishing) or a convincing fake app store page.

The file was uploaded to MalwareBazaar by researcher "jitesh" alongside two other samples -- SecureGuard.apk (also tagged SpyAgent) and Soliq.apk (a dropper/riskware sample) -- all within a 30-minute window on the morning of March 12. This batch submission suggests coordinated sample collection, possibly from the same distribution infrastructure.

Dropper Architecture: Two APKs, Five DEX Files, Three Encrypted Configs

The sample uses a layered dropper design that is specifically built to frustrate automated analysis.

Parent APK (The Shell)

Attribute	Value
SHA256	`6a94280f9c63fc30646439857e184a124722950dcd59a0ad8db8616f0d66fcdd`
File Size	7.7 MB (373 Zip entries)
First Seen	2026-03-12 08:31:59 UTC

The parent APK's primary job is to survive automated scanning and deliver the real payload. It does this through three anti-analysis mechanisms:

Zip Entry Name Collisions. Critical files like AndroidManifest.xml, classes.dex, and resources.arsc exist in the archive as both a file and a directory with the same name. For example, AndroidManifest.xml is a 19,960-byte compressed file and simultaneously a directory containing resource XML files. Standard unzip tools choke on this -- they extract the directory entry and silently skip the file entry. The result: you get an empty directory where your manifest should be.

Non-Standard Compression Method. The main entries use compression method 0x9727 (decimal 38695), which is not recognized by Python's zipfile module or most standard archival tools. Only 7z can partially extract the contents.

Decoy Resource Inflation. Approximately 300 Android support library resources are scattered across fake directory paths inside the archive, inflating the file size and burying the real payload in noise.

Once installed, the parent APK displays a convincing fake "Launcher Setup" loading screen with a 21-second animated progress bar. The HTML is base64-encoded and renders messages in seven languages -- Arabic, Chinese, Russian, Turkish, Spanish, Portuguese, and English -- auto-detected from the device locale. The Portuguese variant reads: "Preparando... Atualizando... Finalizando... Bem-vindo." A red warning at the bottom urges: "Please don't close the app."

This buys time for the child payload installation.

Child APK (The Weapon)

Attribute	Value
SHA256	`b591442305ecad22ef64b9f2f72b779b30989b8b1ea065780f6502bf446e95ec`
File Size	4.4 MB
Package Name	`com.pixelware.contacts`
DEX Files	5 (classes.dex through classes5.dex, totaling ~4.8 MB)
Build Date	2026-02-02 (from DebugProbesKt.bin timestamp)
Network Stack	OkHttp 4.12.0 + BouncyCastle SSL
Language	Kotlin with coroutines

The child APK is the operational payload -- a full-featured Android surveillance tool written in Kotlin. It ships five DEX files containing the malware's class structure, which includes both clearly named classes (Startme, Splasher, Backworker, BootReceiver, Anti_Delete) and heavily obfuscated ones (txouzhvbyrcboxngfjdp with 10 inner classes, likely handling C2 communications).

Encrypted Configuration

Three encrypted configuration files sit in the child APK's assets/ directory:

File	Decoded Size	Purpose
`1.bt`	123 KB	Main config (target app packages, overlay HTML templates, C2 addresses)
`2.bt`	4.5 KB	Secondary config
`3.bt`	2.8 KB	Tertiary config

All three are Base64-encoded AES-CBC encrypted blobs. Critically, all three share the same initialization vector (8bcdb2b59a98d4dfcbd19ef88aa9ec15) and the same first encrypted block (a59213e66b42fee0f96ef8cff0170b13), meaning the plaintext starts identically across all files. The encryption key is derived at runtime within the DEX code using SecretKeySpec + IvParameterSpec. The 123KB size of 1.bt strongly suggests it contains overlay HTML templates for multiple banking applications -- this is where the phishing pages live.

Compounding the static analysis challenge, the DEX code itself contains 2,083 XOR-encrypted strings protecting method names, class references, and API calls.

Capabilities: Full-Device Surveillance

The child payload's Accessibility Service configuration (griojuxlpiffzwmeslssfbb.xml) requests an unusually complete set of permissions:

Capability	What It Enables
`canRetrieveWindowContent`	Read all on-screen content (banking app data, messages, passwords)
`canRequestTouchExplorationMode`	Simulate touch events on behalf of the user
`canRequestFilterKeyEvents`	Keylogging
`canPerformGestures`	Automated gesture injection -- tap, swipe, scroll through apps
`canTakeScreenshot`	Screenshot capture (OCR-based crypto seed phrase extraction)
`canRequestEnhancedWebAccessibility`	Deep web content access within apps
`isAccessibilityTool`	Claims to be a legitimate accessibility tool to evade Play Protect

Beyond Accessibility Services, the malware employs:

MediaProjection API for continuous screen recording
Camera access for ambient visual recording
SMS interception for 2FA/OTP bypass (MITRE T1636.004)
Contact list exfiltration for smishing propagation to the victim's contacts
WebView overlay injection (JavascriptInterface, JavaScript-enabled WebView) for banking credential phishing
Screenshot/gallery access for OCR-based cryptocurrency wallet seed phrase theft -- the hallmark capability of SpyAgent

Anti-Removal

The malware fights to stay installed:

Anti_Delete class with a dedicated uninstall_activity.xml layout that blocks standard uninstall flows
Fake OPPO battery optimization overlay (oppobattery.xml) that tricks users into granting additional permissions -- the APK ships both English (oppo_bty_en_*.png) and Chinese (oppo_bty_cn_*.png) variants of this screen
BootReceiver triggers on device reboot to restart the malware
MyJobService and alarme (AlarmManager) maintain persistent background execution
ResetServices recovers from service termination

The Signing Certificate: Nanjing, China

Both the parent dropper and child payload are signed with the same certificate:

Field	Value
Serial Number	`0x45ff9a3` (73398691)
Algorithm	SHA-512 with RSA (2048-bit)
CN / O	`np`
Locality	Nanjing
State	Jiangsu
Country	CN (China)
Valid From	2021-04-25
Valid Until	3020-08-26 (1000-year validity)

The np placeholder across all naming fields, the thousand-year validity period, and the Nanjing origin are consistent with Chinese-developed Android malware toolkits. The certificate has been active since April 2021 -- a five-year operational window that predates the earliest SpyAgent-tagged MalwareBazaar sample by over three years, suggesting the signing infrastructure was established well before the campaign went public.

The fact that the same key signs both the outer dropper shell and the inner malicious payload confirms unified development. This certificate is a high-confidence pivotable fingerprint for tracking future variants.

Campaign Cluster: 13 Samples Across Four Continents

MalwareBazaar tracks 13 SpyAgent-tagged samples uploaded between June 2025 and March 2026. The campaign has evolved through distinct phases:

Phase	Period	Lures	Target Region
Early	Sep 2024 - Jun 2025	Desktop samples, early Android	Unknown
Global	Oct - Nov 2025	Telegram, TikTok, SpaceX/Starlink	Global
India	Dec 2025 - Mar 2026	mParivahan (gov), Axis Bank, IDFC First Bank	India
Brazil	Mar 2026	Clube Leveros	Brazil (new)

The expansion into Brazil is significant. SpyAgent was previously known primarily for targeting South Korean and Indian users. The Leveros sample represents a deliberate pivot to Brazilian banking customers and cryptocurrency users -- suggesting either a new affiliate operating in Brazil or deliberate campaign expansion by the existing operators.

Same-Day Batch Context

The Leveros sample was uploaded alongside two related files by the same researcher:

Filename	Tags	Upload Time (UTC)
Soliq.apk	dropper, riskware	08:09
SecureGuard.apk	SpyAgent	08:14
Leveros_Club.apk	SpyAgent, InfoStealer	08:31

Brazilian Banking Threat Convergence

This investigation occurred 24 hours after a separate Breakglass investigation into libcef-banker-march11 -- a Windows DLL side-loading campaign targeting Brazilian SEFAZ/NFE tax system users. While there is no confirmed infrastructure overlap between the two campaigns, the parallel is worth noting:

Aspect	libcef-banker (Mar 11)	SpyAgent Leveros (Mar 12)
Platform	Windows (PE DLL)	Android (APK)
Technique	DLL side-loading	Multi-layer dropper
Lure	SEFAZ tax system	Clube Leveros loyalty app
Origin	Brazilian cybercrime	Chinese signing certificate
Target	Brazilian taxpayers, traders	Brazilian banking, crypto users

Two independent threat actor groups targeting Brazilian financial sector victims within a 24-hour window suggests either seasonal timing (Brazilian tax season), elevated interest in Brazilian banking targets, or some degree of intelligence sharing between cybercrime ecosystems.

The broader Brazilian Android threat landscape in March 2026 is notably active, with PixRevolution (real-time PIX hijacking), BeatBanker (Firebase C2, Monero mining), Mirax (MaaS at $2,500/month), and SURXRAT (LLM-equipped RAT with ransomware) all actively targeting PIX payment infrastructure.

OPSEC Failures

The operators made several mistakes that aid tracking and attribution:

Certificate reuse across parent and child APK. The same signing key (0x45ff9a3) is used for both layers, and likely across the broader campaign. This is a single fingerprint that links everything.
Chinese-language UI resources shipped in a Brazilian-targeted app. The oppo_bty_cn_1.png and oppo_bty_cn_2.png files are developer testing artifacts for a Chinese-speaking audience. They have no business in an app impersonating a Brazilian loyalty program.
Build timestamp leak. The DebugProbesKt.bin file is dated 2026-02-02, placing the child payload's compilation 38 days before distribution. Kotlin debug probes should be stripped from production builds.
Shared IV across all encrypted configs. All three .bt files use the same AES-CBC initialization vector, meaning identical plaintext blocks produce identical ciphertext across files. This weakens the encryption scheme and provides a known-ciphertext fingerprint for detection.

MITRE ATT&CK Mapping

Tactic	Technique	ID
Initial Access	Deliver Malicious App via Other Means	T1476
Persistence	Boot or Logon Initialization Scripts	T1398
Persistence	Foreground Persistence	T1541
Privilege Escalation	Abuse Elevation Control Mechanism	T1626
Defense Evasion	Obfuscated Files or Information	T1406
Defense Evasion	Masquerading	T1655.001
Defense Evasion	Impair Defenses	T1629
Credential Access	Keylogging	T1417.001
Credential Access	GUI Input Capture	T1417.002
Collection	SMS Messages	T1636.004
Collection	Contact List	T1636.003
Collection	Screen Capture	T1513
Collection	Data from Local System	T1533
C2	Encrypted Channel	T1521
Exfiltration	Exfiltration Over C2 Channel	T1646

IOCs

File Hashes

# Parent APK (Leveros_Club.apk)
SHA256: 6a94280f9c63fc30646439857e184a124722950dcd59a0ad8db8616f0d66fcdd
MD5:    4b6840285ed7410c24d6991843736865

# Child APK (assets/childapp.apk)
SHA256: b591442305ecad22ef64b9f2f72b779b30989b8b1ea065780f6502bf446e95ec
MD5:    bf9ec985f5665923de97df5bdfa219ba

# Child DEX files
SHA256: d7912b78c0e29f28c3e51f2e633f6f973c9e94bba5ce570722e4cd48fd33e583  (classes.dex)
SHA256: 2326f53735a9f377b9a3e96a65b02a271fdd7f21e9466302e54c7fe8287fb64d  (classes2.dex)
SHA256: 3ed8e81c3fc42d7bfbe1e6555c115ddb834d24932ff41ca720ab14e2f965b6df  (classes3.dex)
SHA256: 679cb765c7df62dc05ea6bb3f37390e6b6d464e934b25ad8aaac9d3f24ba30b2  (classes4.dex)
SHA256: 9f1115ea93a1d8c67b4f0467d3bc7334aa60e7173193eae574a7b3d308cc1ae0  (classes5.dex)

# Related samples (same reporter, same day)
SHA256: 37aea8c8ed8ea55d23da37d997e82e6cc34bf80bce891378be7543adf6678ea1  (SecureGuard.apk)
SHA256: 1a91660cae8d1154e1979f31400b8956ed7e548586f314593e3e0f639838cffb  (Soliq.apk)

Android Indicators

Indicator	Value
Package Name	`com.pixelware.contacts`
Signing Cert Serial	`0x45ff9a3`
Signing Cert SKI	`24:73:BF:FA:29:85:25:5E:84:F3:7A:85:CD:D0:58:CF:FA:E8:79:47`
Signing Cert Issuer	C=CN, ST=Jiangsu, L=Nanjing, O=np, CN=np
Accessibility Config	`griojuxlpiffzwmeslssfbb.xml`
Network Library	OkHttp 4.12.0

Encryption Artifacts

Indicator	Value
Config IV (hex)	`8bcdb2b59a98d4dfcbd19ef88aa9ec15`
Config First Block (hex)	`a59213e66b42fee0f96ef8cff0170b13`
Encryption	AES-CBC
String Obfuscation	Multi-byte XOR (2,083 encrypted strings)
Config File Pattern	`assets/*.bt` (Base64 then AES-CBC)

Behavioral Indicators

Type	Value
Launcher	Base64-encoded HTML, 7-language loading screen, 21-second animation
Fake Battery UI	`oppo_bty_en_.png`, `oppo_bty_cn_.png`
Anti-Uninstall	`Anti_Delete` class, `uninstall_activity.xml`
Persistence Classes	`BootReceiver`, `MyJobService`, `alarme`, `ResetServices`
Fake Chat	`activity_chat.xml`
WebView Overlay	`mywebviewer.xml` with JavaScript enabled

Detection: YARA Rules

rule SpyAgent_Leveros_Dropper {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-12"
        description = "SpyAgent dropper APK with childapp.apk payload and Zip entry collision anti-analysis"
        hash = "6a94280f9c63fc30646439857e184a124722950dcd59a0ad8db8616f0d66fcdd"
        tlp = "WHITE"
    strings:
        $child = "assets/childapp.apk" ascii
        $pkg = "com.pixelware.contacts" ascii
        $launcher = "launcher.html" ascii
        $bt1 = "assets/1.bt" ascii
        $bt2 = "assets/2.bt" ascii
        $bt3 = "assets/3.bt" ascii
        $manifest_dir = "AndroidManifest.xml/" ascii
        $dex_dir = "classes.dex/" ascii
    condition:
        uint32(0) == 0x04034B50 and
        filesize > 5MB and filesize < 15MB and
        ($child or $pkg) and
        (2 of ($bt*) or ($manifest_dir and $dex_dir) or $launcher)
}

rule SpyAgent_PixelwareContacts_Payload {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-12"
        description = "SpyAgent child payload with com.pixelware.contacts package"
        hash = "b591442305ecad22ef64b9f2f72b779b30989b8b1ea065780f6502bf446e95ec"
        tlp = "WHITE"
    strings:
        $pkg = "com/pixelware/contacts" ascii
        $startme = "Startme" ascii
        $splasher = "Splasher" ascii
        $backworker = "Backworker" ascii
        $bootrecv = "BootReceiver" ascii
        $antidel = "Anti_Delete" ascii
        $resetsvcs = "ResetServices" ascii
        $alarme = "alarme" ascii
        $tofront = "tofront" ascii
        $myjob = "MyJobService" ascii
    condition:
        uint32(0) == 0x04034B50 and
        $pkg and
        3 of ($startme, $splasher, $backworker, $bootrecv, $antidel, $resetsvcs, $alarme, $tofront, $myjob)
}

rule SpyAgent_NanjingCert {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-12"
        description = "APKs signed with the Nanjing/np SpyAgent certificate (serial 0x45ff9a3)"
        tlp = "WHITE"
    strings:
        $cert_serial = { 04 5F F9 A3 }
        $cert_cn = "np" ascii
        $cert_nanjing = { E5 8D 97 E4 BA AC }
        $cert_jiangsu = { E6 B1 9F E8 8B 8F }
        $cert_china = { E4 B8 AD E5 9B BD }
    condition:
        uint32(0) == 0x04034B50 and
        ($cert_serial and $cert_cn) or
        ($cert_nanjing and $cert_jiangsu and $cert_china)
}

Recommended Actions

Immediate (24-48 hours)

Block the parent and child APK hashes plus all five DEX hashes on MDM/EDR platforms
Search managed Android fleets for the com.pixelware.contacts package name
Deploy the YARA rules above to mobile threat detection pipelines
Alert Brazilian financial institution security teams and CERT.br
Block signing certificate serial 0x45ff9a3 in mobile security policy

Short-term (1-2 weeks)

Submit the child APK hash to MalwareBazaar as a related sample for broader community visibility
Run the sample through ANY.RUN or Triage to decrypt the .bt config files and extract C2 infrastructure
Analyze SecureGuard.apk and Soliq.apk for shared signing certificates and infrastructure
Monitor for new APKs signed with the Nanjing certificate

Medium-term (1-3 months)

Track the signing certificate via VirusTotal Livehunt for new variants
Monitor Brazilian third-party app stores for trojanized Leveros clones
Develop AES-CBC decryption capability for the .bt config format by extracting the key derivation logic from the DEX code
Share IOCs with MITRE for SpyAgent (S1214) entry updates

Analysis by GHOST -- Breakglass Intelligence. Published 2026-03-12.