F6 researchers, in coordination with RuStore, have dismantled one of the most active Android-focused cybercrime operations of 2024 by blocking 604 domains used to distribute the DeliveryRAT trojan. The malware impersonated food delivery services, marketplaces, banking apps, and package trackers, leveraging large-scale social engineering to infect Android devices.
What DeliveryRAT Targets: Data Theft and Financial Fraud
Identified in mid-2024, DeliveryRAT is designed to exfiltrate personal and financial data to facilitate microloan fraud and attempted online banking theft. Victims were prompted to share details such as full name, delivery address, bank card number, phone number, and date of birth; in some scenarios, attackers sought SNILS (a Russian pension insurance number). This breadth of attributes increases the success rate of identity-driven credit fraud and subsequent monetization of compromised accounts.
MaaS via Telegram: The Bonvi Team Bot as an Attack Multiplier
F6 observed DeliveryRAT distributed as Malware-as-a-Service (MaaS) through the Telegram bot Bonvi Team. Operators could generate a tailored malware sample at no cost and handle victim delivery themselves. The bot provided two options: downloading an APK build or using a personalized phishing link to a counterfeit site. This automation removed the need for technical expertise, enabling rapid scaling across geographies. At least three distinct criminal groups were identified driving traffic to the malicious infrastructure.
Social Engineering Playbooks Used in the Campaign
Fake Marketplace Deals and “Order Tracking” Apps
Attackers posted bargain listings on marketplaces or set up sham stores, then moved conversations to Telegram or WhatsApp. A “manager” harvested personal data and instructed the victim to install an “order tracking” app—actually the DeliveryRAT payload.
Phony Jobs and “Work” Applications
Fraudsters offered attractive vacancies with flexible conditions. During chats, they requested SNILS, card details, and date of birth, then pressured candidates to install a “work app,” normalizing the sideload and accelerating data capture.
Telegram Ads with Discounts and Promo Codes
Promotional posts enticed users to download discount or promo-code apps. The promise of quick savings lowered vigilance and disguised the trojan as a useful service.
Domain Infrastructure: Fast-Flux Naming and Lookalike Patterns
RuStore and F6 blocked 604 domains tied to the operation. Many domains mimicked legitimate services by combining common keywords such as store, id, download, and app. This templated approach enabled rapid site churn and evasion of isolated takedowns. Disrupting the domain layer shortened the lifespan of phishing pages and throttled the infection funnel.
Risk Outlook: MaaS and Messenger-Driven Mobile Threats
The DeliveryRAT case underscores a broader shift: mobile threats increasingly exploit MaaS platforms and encrypted messengers to scale social engineering. Similar tactics have been documented in major Android banking trojan operations in recent years, where sideloaded APKs and phishing links bypass store vetting. Industry reports consistently show that installing apps from unknown sources markedly elevates risk compared with official storefronts.
Practical Mobile Security Recommendations
For individuals: install apps only from trusted app stores (including RuStore and Google Play), disable installation from unknown sources, scrutinize web domains for lookalike patterns, keep the OS and mobile security tools up to date, and treat permission prompts and financial data requests with caution.
For organizations: train employees against mobile phishing, enforce MDM (Mobile Device Management) policies restricting sideloading, and monitor mobile network traffic for anomalies indicative of RAT activity (e.g., unusual beaconing or telemetry exfiltration).
The takedown coordinated by F6 and RuStore illustrates how targeting the delivery infrastructure can meaningfully reduce victimization and financial losses. Users and enterprises can amplify this impact by hardening mobile hygiene, verifying sources before installing APKs, and remaining skeptical of “too good to be true” offers that funnel to unfamiliar links or messenger-based installers.
