Betting on Risk: An Analysis of Spyware Disguised as Online Gambling App

by Noufal Radhitya, Threat Intelligence Intern @ PT ITSEC Asia Tbk

One quiet weeknight, the author received a message from a supervisor who claimed to have just been contacted by an unknown person via a social media direct message. The message contained an offer to try an online gambling app with the lure of huge profits and exclusive access. At first glance, the promotion looked like the usual spam that often circulates on the internet. However, there was something odd about how the app was distributed, they used a phishing scheme that mimicked the Google Play Store interface.

Distribution of Spyware and How It Works

The attacker uses social media accounts to carry out social engineering against potential victims via direct messages (DMs). In this case, an account named “Rosita Idris” sent messages offering opportunities for quick profits with financial-sounding claims such as “high returns + fast process.”

The message includes an external link to the suspicious domain gmqf07[.]com/index107[.]html, which is believed to function as a malware distribution or phishing site. The site mimics the user interface of the Google Play Store, but unfortunately, the link is not valid like the official Google Play website. This technique exploits the victim’s curiosity and interest in economic opportunities to increase the likelihood of clicks and playing the game; in this case, we know from the emojis used that the attacker is promoting an online gambling app (online casino and roulette).

When looking at the website's source code, there are references to China, but this is not a definitive indicator that the distributor or actor is from China.

Infection Chain

As previously mentioned, this gambling-themed spyware was distributed through Direct Message (DM) phishing campaigns that redirected victims to fake websites impersonating the Google Play Store. This technique was likely used to make the malicious APK appear trustworthy and legitimate.

During the investigation, several active hyperlinks were identified, including links to WhatsApp and Telegram channels used to distribute the spyware further. By leveraging instant messaging platforms, threat actors were able to bypass traditional marketplace security controls while directly engaging with potential victims.

The application file was named com.gacormax107.app.apk but after installation its displayed name changed to Gacor Max. In Indonesia, the term “gacor” is closely associated with online gambling culture and is commonly used to describe a “winning” condition. This localized branding indicates that the threat actors intentionally used familiar gambling-related terminology to increase credibility and encourage victims to install the application.

The author classified this online gambling application as spyware based on findings obtained during behavioral and static analysis. Several suspicious permissions were identified and considered unusual for a conventional gambling application. The PHONE_STATE permission, for example, can be used to obtain sensitive device identifiers such as the victim’s IMEI, SIM-related information, and network status data. These permissions enable the operators to perform victim profiling, device tracking, or correlate infected users across multiple campaigns. These capabilities far exceed the standard functional requirements of typical gambling apps and raise concerns about the surveillance-oriented features embedded in the APK.

In addition, the gambling-themed application requested several other sensitive permissions that could significantly increase privacy and security risks for victims. Permissions such as android.permission.CAMERA, READ_EXTERNAL_STORAGE, READ_MEDIA_IMAGES, READ_MEDIA_VIDEO, and READ_MEDIA_AUDIO allow the application to access the device camera as well as various media files stored on the victim’s device, including personal photos, videos, screenshots, and audio recordings. Access to these resources creates the possibility of unauthorized data collection and surveillance activities.

This assessment was further strengthened during the application detonation process on a virtual device, where the application consistently remained on the loading interface throughout dynamic analysis in a virtual environment, despite the emulator functioning normally with other applications. This behavior was considered malicious because the application requested access to high-risk permissions without providing any visible features that legitimately required such access, such as registration, identity verification, or media-related functionality. Furthermore, this behavior suggests the malware may be specifically designed to avoid detection, refusing to run when it senses it's being analyzed or tested by security researchers. Techniques of this nature are commonly used by Android malware to evade automated analysis, restrict payload delivery, or selectively activate malicious functionality only on legitimate victim devices.

The WAKE_LOCK permission was also detected, which could potentially be abused to keep processes running continuously in the background even when the device is idle. From a malware operations perspective, this capability can be used to keep the malware stay communicate with command-and-control (C2) infrastructure, or continuous monitoring activities without requiring direct user interaction.

This online gambling application appeared to function as a centralized platform connected to multiple gambling servers simultaneously through several update URLs embedded within the application. While multi-URL mechanisms are commonly used for redundancy in legitimate applications, in this case they may also help actors maintain communication and payload delivery even if some domains are blocked or taken down. An illustration of the attack infection flow can be seen below.

Recommendations

1. Avoid Unofficial APK Sources
   Avoid downloading APK files from unofficial sources, especially those distributed through Direct Messages (DM), WhatsApp, Telegram, or websites impersonating trusted platforms such as the Google Play Store. Users should only install applications from official marketplaces like Google Play Store to reduce the risk of malware infection.
2. Verify Domain and Developer Legitimacy
   Verify the legitimacy of application domains and developers before installation. Suspicious indicators may include recently registered domains, unofficial URLs, excessive gambling-related branding, or APK files distributed outside official app ecosystems.
3. Review Application Permission.
   Review application permissions carefully before installation. Gambling applications generally do not require access to sensitive resources such as camera, audio recordings, phone state information, or full media storage access. Requests for excessive permissions should be treated as a potential indicator of spyware activity.
4. Use IntelliBroń Aman for Mobile Protection
   Cybersecurity threats continue to evolve, including threats targeting smartphones used in daily activities. To help detect and prevent emerging mobile threats, the use of IntelliBroń Aman is recommended as a security solution for smartphones, including protection against malicious online gambling applications and spyware-related threats.