Malware Analysis: SeaMoon Bank Trojan (Fake eGOVph App)

Executive Summary

A malicious Android application disguised as the Philippine government's official eGOVph app was obtained and subjected to full static reverse engineering analysis. We are tracking this threat as the SeaMoon Bank Trojan, named after the default IMEI fallback string seamoonabcdefghijklm hardcoded in its SDK. The application is a sophisticated banking trojan, spyware, and remote access tool that targets Filipino citizens through social engineering schemes involving the eGOVph platform.

Key findings:

• The malware impersonates a legitimate Philippine government application to deceive victims into installing it on their mobile devices.
• Once installed, it can steal banking credentials, intercept SMS messages and one-time passwords (OTPs), record the device screen in real time, activate the camera silently, exfiltrate contacts and personal data, and remotely control the device.
• The malware's Command and Control (C2) server was live and operational at the time of analysis (19 February 2026), with its TLS certificate provisioned on 6 February 2026.
• The C2 server's bank target list, obtained during live probing, contains 17 Philippine financial applications including GCash, Maya, BPI, BDO, UnionBank, Metrobank, LANDBANK, and others.
• The total target list spans 87 financial applications across the Philippines, Malaysia, Indonesia, Vietnam, Cambodia, Thailand, Singapore, New Zealand, Saudi Arabia, and Bangladesh -plus cryptocurrency exchanges.
• Analysis of the underlying malware toolkit (com.bw / common_release) reveals this is the product of a professionally organized, Chinese-speaking cybercrime group that has been operating since at least 2021. The toolkit was originally built for illegal online gambling platforms before being repurposed for banking fraud.
• The malware APK was built on 16 February 2026, indicating this is an active, ongoing campaign.

2. BACKGROUND AND SCOPE

2.1 How the Sample Was Obtained

The malicious APK was obtained after a Facebook post surfaced publicly describing the scam. The post included a link to a fake government webpage at egov.vrph.cc, which was hosting the malware for download. The APK was retrieved directly from this distribution site for analysis.

2.2 Scope of Analysis

The analysis was conducted through static reverse engineering only -the malware was not executed on any device, and no victim data was accessed or modified. The analysis comprised:

1. APK unpacking -The malware was protected with DPT-shell, an open-source Android packing framework. A custom unpacker was developed to restore all 63,713 method bodies from four DEX files, yielding 11,294 decompiled Java source files.
2. Source code analysis -Full review of the decompiled application source, including the main malware package (io.mkvps.ujwxe), the reusable malware SDK (com.bw), and supporting libraries.
3. Encryption reversal -Two encryption layers (DES-ECB for configuration, AES-256-ECB for API traffic) were fully reversed, enabling decryption of all C2 communications.
4. Live C2 interaction -Using the reversed encryption, authenticated and unauthenticated endpoints on the live C2 server were probed to confirm operational status and gather additional intelligence, including the complete list of targeted financial applications.

3. SAMPLE INFORMATION

4. SOCIAL ENGINEERING VECTOR

4.1 Attack Scenario

Based on the application's branding, configuration, and campaign identifier (PhKjEgov), the social engineering attack targets Filipino citizens through the following scenario:

1. Initial Contact -Victims are contacted via phone call, SMS, or email by individuals claiming to represent a Philippine government agency.
2. Pretext -The caller/message claims there is a problem with the victim's eGOVph account -e.g., that their account needs to be updated, verified, or reactivated.
3. Installation -Victims are directed to download and install the fake "eGOVph" application from a link provided by the scammer. The app is not distributed through the Google Play Store.
4. Permission Harvesting -Upon installation, the app requests extensive permissions including Accessibility Service access, SMS reading, camera, microphone, location, and contacts.
5. Exploitation -Once permissions are granted, the malware silently begins stealing credentials, intercepting messages, and establishing persistent connections to the attacker's servers.

4.2 Why This Is Effective

• The Philippine government's eGOVph is a legitimate and widely recognized platform, making impersonation highly credible.
• eGOVph is a widely used government services platform with active citizen engagement, creating a sense of urgency when victims are told there is a problem with their account.
• Many Filipino citizens may not be aware that government agencies do not request app installations via phone or SMS.

5. MALWARE CAPABILITIES

5.1 Banking Credential Theft

5.2 SMS and OTP Interception

5.3 Real-Time Surveillance

5.4 Data Exfiltration

5.5 Remote Device Control

5.6 Persistence

6. COMMAND AND CONTROL INFRASTRUCTURE

6.1 Identified Servers

6.2 TLS Certificate Details

The certificate was issued approximately 10 days before the APK was built (16 February 2026), indicating coordinated infrastructure provisioning and malware deployment.

6.3 C2 Resilience Mechanisms

The malware is designed to maintain connectivity even if primary servers are taken down:

6.4 Live C2 Probe Results

Using the reversed AES-256-ECB encryption, unauthenticated endpoints on the live C2 were probed on 19 February 2026:

Intelligence value:

• Malay error messages ("Maklumat anda tidak betul" = "Your information is incorrect") confirm the same C2 panel is also used to target Malaysian victims.
• Chinese error messages ("参数错误" = "parameter error") confirm Chinese-speaking operators.

6.5 Fake Device Registration and Authenticated Access

The x/common-bank-list endpoint returned code:999 ("Gagal masuk") when accessed without authentication, indicating a valid access token was required. By analyzing the malware's registration flow in the decompiled source, we crafted a POST /x/register request with fabricated device parameters -registering a fake device on the C2 server. The server accepted the registration and returned a valid access token.

With this token, we were able to authenticate to the C2 and access protected endpoints, including GET /x/common-bank-list, which returned the complete list of 87 targeted financial applications across 10+ countries.

6.6 WebSocket C2 Command Channel

Using the obtained access token, we connected to the C2's WebSocket endpoint at wss://app.ftjph.top/x/command. The server immediately pushed two commands to the fake device:

1. Screen streaming command (action:99) - instructs the device to begin streaming the victim's screen in real-time via RTMP to rtmp://154.19.187.36:30046/live/..., giving operators a live view of everything on the victim's display.
2. Bank target list (action:61) - delivers the complete list of 87 targeted financial application package names. The malware uses this list to monitor which apps are installed and detect when the victim opens a banking app.

On a real victim's device, once these commands are received, the malware begins silently recording and streaming the screen to the attacker's server. The bank target list is stored locally, and the malware's Accessibility Service (FocusService) monitors app activity in the background. When the victim opens any of the 87 targeted banking or financial apps, the malware immediately triggers an overlay attack - displaying a fake login screen on top of the legitimate app. Any credentials entered (username, password, PIN) are captured and sent to the C2 via POST /x/user-bank-pwd. Meanwhile, incoming SMS messages containing OTPs are intercepted and forwarded to the attacker, enabling complete bypass of SMS-based two-factor authentication. The stolen credentials can then be immediately used by the operators through the POST /x/five/bank-login endpoint, allowing them to log in to the victim's bank account directly from the C2 infrastructure. Because the malware has access to the device's camera via CameraService and can stream live video of the victim's face, it can bypass facial recognition checks that banks use as an additional security layer. The operators, watching the victim's screen in real-time, can also issue further commands - such as automated taps, form fills, or launching a reverse proxy tunnel to directly interact with the compromised device.

Beyond stealing credentials and draining balances, the malware also has the capability to take out loans under the victim's name. The C2 infrastructure includes dedicated loan endpoints - GET /x/loan-info to retrieve available loan products, GET /x/loan-contract to fetch loan terms, POST /x/loan-save to submit loan applications, and POST /x/income-save to provide fabricated income data. Combined with the stolen KYC documents (ID photos, personal data exfiltrated via /x/five/user-upload and /x/five/user-extra), operators can apply for and potentially secure loans without the victim's knowledge, leaving them liable for debt they never authorized.

7. TARGETED PHILIPPINE FINANCIAL INSTITUTIONS

The following 17 Philippine financial applications were retrieved from the C2 server using a JWT token obtained by registering a fake device. The bank-target list was delivered in encrypted form and subsequently decrypted using our script. The schema field specifies the Android package names used by the malware to detect when these applications are opened and to trigger overlay attacks.

Additional Philippine targets added later:

• Komo (ph.komo.app) -added 2 Feb 2025
• RBank Digital (com.robinsons.RBankDigital) -added 16 Feb 2025
• Asia United Bank -AUB (com.aub.mobilebanking) and HelloMoney by AUB (com.aub.hellomoney) -added 27 Apr 2025
• Shopee Philippines (com.shopee.ph) -added 30 Oct 2025
• Atome Philippines (ph.atome.paylater) -added 30 Oct 2025

Total Philippine targets: 22 financial and e-commerce applications.

The dates show a pattern of progressive target expansion -the attackers began adding Philippine banks in December 2024 and have continued adding new targets through October 2025, indicating sustained, evolving interest in the Philippine market.

8. TARGETED FOREIGN FINANCIAL INSTITUTIONS

The C2 server's bank list reveals this is a multi-country operation. Beyond the Philippines, the following countries and institutions are targeted:

8.1 Malaysia (18 apps)

MAE by Maybank2u, Touch 'n Go eWallet, CIMB OCTO MY, RHB Mobile Banking, HLB Connect, Public Bank (PB engage MY), Alliance Online, AmOnline, UOB TMRW Malaysia, OCBC Malaysia, HSBC Malaysia, AffinAlways, AGRONet Mobile, myBSN, SC Mobile Malaysia, GO by Bank Islam, GXBank, Maybank

8.2 Indonesia (16 apps)

BCA, myBCA, Livin' by Mandiri (BMRI), BNI, Bank Rakyat Indonesia, CIMB Niaga, PermataMobile X, e-cash Panin, Danamon, BTN, BJB, Bank Neo, OCBC, JATIM, BSI, DANA, SeaBank

8.3 Vietnam (18 apps)

Techcombank, Sacombank, MB Bank, VPBank, SHB Mobile, MyVIB, VietABank, Eximbank, DongA Mobile, SCB Mobile, TP Bank, MSB mBank, Vietbank, KienlongBank Plus, Nam A Bank, SeAMobile, ACB (SafeKey + ONE Biz), OCB OMNI, PVConnect, Agribank, SmartBank (BIDV), MBS Mobile

8.4 Other Countries

8.5 Cryptocurrency Exchanges (5 apps)

Binance, Coinbase, OKX, Kraken, Bybit

8.6 E-commerce (2 apps)

Lazada, Shopee

Total across all countries: 87 targeted financial applications.

The earliest C2 entries date to July 2023 (Vietnamese banks), with progressive expansion to Indonesia (June 2024), Malaysia (September 2024), the Philippines (December 2024), and continuing through 2025-2026.

9. ENCRYPTION AND ANTI-FORENSIC TECHNIQUES

9.1 Application Packing (DPT-Shell)

The malware's code is protected using DPT-shell, an open-source Android DEX packing framework. The packer was identified by the com.jx.shell package name found in the decompiled stub code (containing ProxyApplication, JniBridge, and four other classes), which matches the DPT-shell open-source project. This was further confirmed by the characteristic asset file naming (OoooooOooo, vwwwwwvwww/) and binary format matching DPT-shell's MultiDexCode.cpp source code. Standard decompilation produced only the packer's stub code -with the actual application logic entirely absent.

How DPT-shell hides the code:

1. At build time, DPT-shell removes all method bytecode (63,713 methods) from the DEX files, replacing each method body with scrambled data.
2. The original bytecode is serialized into a binary file stored at assets/OoooooOooo (3.5 MB).
3. At runtime, a native library (libdpt.so) restores each method body just before execution.
4. Anti-analysis defenses in libdpt.so include Frida detection, anti-ptrace, process inspection via /proc/self/maps, and inline hooking via the Dobby/ByteHook frameworks.

Defeating the packer:

The critical discovery was inside the APK's classes.dex -a 10 MB file containing only 108 methods and 6 classes, which is impossible under normal circumstances. Parsing the DEX header revealed that the actual DEX structure occupied only ~10 KB, ending at offset 0x25E8. Scanning the remaining bytes revealed a ZIP local file header (PK\x03\x04) immediately after the DEX map list:

rest = dex_data[0x2600:]
for m in re.finditer(b'PK\x03\x04', rest):
    print(f'ZIP header at 0x{0x2600 + m.start():x}')

This is DPT-shell's hiding mechanism: it appends a ZIP archive containing the original (hollowed) DEX files to the end of the shell classes.dex. Android's DEX loader reads only the DEX structure at the beginning and ignores the trailing data, while libdpt.so reads the same file as a ZIP to access the hidden entries.

Extracting this embedded ZIP yielded four DEX files:

These DEX files contained complete class structures and method signatures, but all method bodies were scrambled. By parsing the OoooooOooo binary format (documented in DPT-shell's source as MultiDexCode), we extracted 63,713 CodeItems -raw Dalvik bytecode -and patched them back into the correct DEX offsets. After recalculating each DEX's Adler32 checksum and SHA-1 signature, the restored files decompiled with JADX into 11,294 Java source files (99.7% success rate).

9.2 Communication Encryption

The malware employs two distinct encryption layers:

Layer 1: DES-ECB -Configuration Decryption

Build-time encrypted strings in BuildConfig are decrypted at runtime by OkhttpKt.doOutput():

Algorithm:   DES (56-bit effective key)
Mode:        ECB (Electronic Codebook)
Key:         h3@FuaKc (hardcoded)
Flow:        Base64 input → DES decrypt → UTF-8 → JSON

Layer 2: AES-256-ECB -API Traffic Encryption

All HTTP traffic between the malware and C2 is encrypted using AES, implemented in AESUtils.java:

Algorithm:   AES-256
Mode:        ECB with PKCS5Padding
Key derivation:
  1. Read BuildConfig.encryptionKey = "cKzJwz6ZF9ra5EybFZWtadaKTPCkST2A"
  2. Compute MD5 hash of the key string
  3. Lowercase the hex digest: "9a34ad6f0f964d6bde807527d365aa4b"
  4. Use this 32-byte string as the AES-256 key

The OkHttp ParamsInterceptor encrypts every outbound request body, and the ResponseInterceptor decrypts every response where "type":"encryption" is present. Requests to api.telegram.org bypass encryption (Telegram Bot API fallback channel).

Both layers were fully reversed during this analysis, enabling decryption of all C2 traffic and live probing of the operational server.

9.3 Additional Encryption Keys Found

9.4 Code Obfuscation

• Package names use confusing patterns: p000O8oO888, p019O, p022o0o0
• Variable names use Unicode/non-printable characters
• Class names use abstract identifiers: AbstractC1497, o0o0, Oo0

9.5 Anti-Analysis Defenses

The native library libdpt.so implements multiple techniques to prevent dynamic analysis and debugging:

10. ATTRIBUTION INDICATORS

10.1 Chinese-Speaking Cybercrime Group

10.2 Organized Criminal Enterprise

10.3 Illegal Gambling Connection

The SDK's API error codes contain constants revealing its original purpose:

These gambling-specific error codes prove the SDK was originally developed for illegal online gambling/betting platforms before being repurposed for banking fraud and government impersonation.

10.4 Additional C2 Domain Intelligence

An image asset URL found in the C2 bank list references a different domain:

https://ador.rrbp.xyz/image/dacfad0ca86ac0ec30befe55e3430fde1wAVyU.png

The domain ador.rrbp.xyz may be associated with the same threat actor's infrastructure and warrants further investigation.

11. INDICATORS OF COMPROMISE

11.1 Network Indicators

11.2 File Indicators

11.3 Application Identifiers

11.4 Detection Signatures

Mobile devices and networks should be monitored for:

• Applications requesting both Accessibility Service and SMS reading permissions
• Network connections to any of the IP addresses or domains listed in Section 11.1
• Presence of the package name io.jtjyp.wxfcu or io.mkvps.ujwxe
• WebSocket connections to port 8888 with video streaming patterns
• RTMP connections to port 1935
• HTTP traffic with header type: encryption to unknown servers

12. RECOMMENDED ACTIONS

12.1 If You Installed This App

1. Immediately turn off your phone's internet connection (Wi-Fi and mobile data) to stop the malware from streaming your screen and sending data to the attackers.
2. Do not open any banking apps on the infected device.
3. Using a different device, change all your banking passwords and PINs immediately.
4. Contact your bank and report that your credentials may have been compromised. Request that they freeze suspicious transactions and monitor your account for unauthorized activity, including loan applications you did not make.
5. Uninstall the fake eGOVph app - go to Settings > Apps, find the app, and uninstall it. If the app resists uninstallation, perform a factory reset.
6. Check your SMS history - the malware intercepts all text messages, including OTPs. If you used SMS-based 2FA for any account, consider those accounts compromised.
7. File a report with the NBI Cybercrime Division or PNP Anti-Cybercrime Group.

12.2 How to Protect Yourself

• Only install apps from the Google Play Store or Apple App Store. The real eGOVph app is available exclusively on official app stores.
• The government will never call or text you to install an app. If someone claims to be from a government agency and asks you to download something, it is a scam.
• Never enable "Install from Unknown Sources" for apps sent via links in SMS, Viber, Messenger, or other messaging apps.
• Never grant Accessibility Service permissions to apps unless you fully understand what the app does. This permission gives an app complete control over your device.
• Enable Google Play Protect - go to Play Store > Profile > Play Protect > Settings and make sure "Scan apps with Play Protect" is turned on.
• Be suspicious of apps requesting excessive permissions - a legitimate government app does not need access to your camera, SMS, contacts, and accessibility services simultaneously.