Glitch SPY Android RAT Distributed via Fake Polish Rental App ("Tutaj Dom") Using Brokewell Loader — Threadlinqs Intelligence
Threat ID: TL-2026-1195 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: Baron Samedit Marais · FINANCIAL
A new Android RAT dubbed Glitch SPY is being distributed via a fraudulent Polish apartment-rental website (tutaj-dompl.com) impersonating a platform called "Tutaj Dom", using the Brokewell Android
Cyble Research and Intelligence Labs (CRIL) identified an active malware campaign distributing a new Android Remote Access Trojan named Glitch SPY through a spoofed Polish apartment-rental website, tutaj-dompl.com, which mimics a legitimate-looking rental platform branded "Tutaj Dom" (Polish for "Home Here"). Victims are lured to the site and prompted to sideload an APK (Tutajdom.apk) outside the Google Play Store. The initial payload is the Brokewell Android Loader — a dropper first identified by ThreatFabric in April 2024 and developed/sold on the Exploit cybercrime forum by an actor tracked as "Baron Samedit Marais", operating under the moniker "Brokewell Cyber Labs". The loader is notable for its ability to bypass Android 13+ 'restricted settings' protections that normally block sideloaded apps from requesting Accessibility Service permissions, and stages installation of the second-stage Glitch SPY payload.
Once installed, Glitch SPY prompts the victim to enable Android Accessibility Service, which it then abuses to auto-grant itself further dangerous permissions, perform UI automation (taps, swipes, text entry), read on-screen content, and defeat manual permission prompts. The malware maintains a persistent WebSocket connection to its command-and-control panel, exchanging structured JSON messages (hello/hello_ack handshake, heartbeat/ping keep-alive, command_result, screen_frame, sms_data, contacts_data, file_list, browser_command_result) and supports more than 70 discrete commands across surveillance, file management, remote control, and financial-fraud categories.
Surveillance capabilities include live screen streaming, screenshot capture, screen-reader text extraction, offline and live keylogging, camera streaming, microphone/audio recording, and clipboard monitoring. Data-theft commands harvest SMS messages (read and send), contacts, call logs, installed app lists, device accounts, system information, and geolocation. A full remote file manager allows listing, downloading, zipping/unzipping, renaming, and executing files, plus an AES/GCM/NoPadding file-encryption/decryption capability (FMENC1 header, .enc extension) with secure deletion (overwrite-truncate-sync-delete) of the original plaintext — though no automated mass-encryption or ransom-demand infrastructure was observed, indicating this is a targeted-extortion or evidence-destruction tool rather than a ransomware module.
A hidden, off-screen remote-browser (WebView) module lets the operator load arbitrary URLs on the victim device, toggle mobile/desktop rendering, and perform clicks, swipes, text entry, and JavaScript-driven form fills — enabling on-device account takeover using the victim's own IP address and already-authenticated web sessions, defeating IP-based and device-fingerprint fraud controls.
A dedicated crypto-clipper module (clipper_get_config/clipper_set_config/clipper_inject_clipboard) monitors the clipboard for cryptocurrency addresses and URI schemes (bitcoin:, ethereum:, erc20:, tron:, bsc:, matic:, polygon:, arbitrum:, optimism:, base:, ton:) and silently substitutes the victim's copied address with an attacker-controlled address of the matching currency family (ETH/EVM addresses starting 0x, TRON addresses starting T, Bitcoin legacy addresses starting 1 or 3, Bitcoin Bech32 addresses starting bc1q/bc1p), reporting the swap event (original address, replacement address, currency type) back to the C2.
Device-control commands allow the operator to activate/deactivate Device Administrator privileges, block biometric authentication (forcing fallback to a PIN/pattern the malware can capture), fetch/store/auto-unlock the device's lock pattern, save and auto-fill credentials, wake the screen, lock the device, hide the app icon and self-uninstall, and prevent uninstallation via Device Admin abuse.
The exposed C2 panel infrastructure includes an Agents module (searchable list of infected devices by name/ID/IP), a live Viewer for screen streaming an
Target sectors: realestate, financialservices, consumer, cryptocurrency
Target regions: poland, Europe
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 20 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, T1660, T1624, T1629, T1628, T1655, T1516, T1453, T1417, T1418, T1420