2025-12-06 –, Track 1
Mobile malware is no longer a fringe concern—it’s a fast-evolving threat that quietly compromises users across the globe. This session dives into two years of malware investigations, revealing how attackers exploit social engineering and impersonate trusted Android apps to gain full control of devices. Through a case study, we expose the inner workings of a repackaged RAT campaign and the critical phases of its attack: Delivery, Enablement, and Exploitation.
Attendees will gain insight into how threat actors manipulate Android Accessibility Services, bypass user defences, and adapt their tactics in response to improved detection. While not directly targeting South African institutions, the campaign’s techniques pose real risks to financial applications and user privacy. This talk offers insights into mobile malware campaigns and highlights the urgent need for collaboration, education, and smarter defences in the mobile threat landscape.
Mobile malware continues to evolve, posing a persistent and often underestimated threat to users worldwide. In this session, we present key findings from a series of malware investigations conducted over the past two years, offering a comprehensive look into the current state of mobile malware and its implications for users and institutions alike.
We begin by exploring the broader mobile threat landscape—highlighting prevalent malware capabilities, global distribution trends, and the challenges in attributing these campaigns to specific threat actors. The talk then focuses on a detailed case study of a sophisticated malware campaign that leverages social engineering and impersonates legitimate Android applications to compromise user devices.
The attack is broken down into three critical phases: Delivery, Enablement, and Exploitation. We demonstrate how attackers manipulate users into granting dangerous permissions—particularly Android Accessibility Services—ultimately gaining full control of the device. Our reverse engineering reveals the malware to be a repackaged variant of the Gigabud Remote Access Trojan (RAT), previously seen in campaigns impersonating government services. We will also cover a few reactive strategies that the threat actors adopted in response to improved detection, and how their delivery methods changed in response.
While this malware is not specifically designed to target South African institutions, the tactics and methods employed by threat actors enable them to manipulate users into granting access to their financial applications. This underscores the importance of practical mitigation strategies, such as user education, understanding Google Play Protect’s behaviour, and fostering collaboration among financial institutions to strengthen detection and response efforts.
This talk aims to demystify the mobile malware ecosystem, assess the real-world risks to users, and highlight actionable steps that can be taken to disrupt these evolving threats.
Brent Shaw began his career in audio engineering, working on real-time distributed audio control systems before transitioning into the world of cybersecurity. His early focus on Industrial Control System (ICS) security introduced him to the complexities of SCADA and PLC environments, where he developed expertise in protecting critical infrastructure.
Today, Brent works as a cybersecurity researcher with a strong emphasis on security automation. His interests span a wide range of cutting-edge topics, from breaching air-gapped networks to unconventional techniques like ultrasonic mole detection. Brent’s work combines deep technical knowledge with a passion for exploring the boundaries of security in both traditional and emerging domains.
With a decade embedded in the financial sector’s digital trenches, [Redacted] has analysed malware strains, reverse-engineered adversarial code, and profiled threat actors operating in the shadows of global finance. Armed with a PhD in Signals Intelligence, they’ve traced lateral movement across compromised networks and developed behavioural fingerprints of Advanced Persistent Threat (APT) groups. Their work bridges the gap between deep technical analysis and real-world adversary tracking