Inside Sisurya: Indonesia’s Emerging Android Cyber Crime Syndicate

Sisurya is an emerging threat actor group based in Indonesia that specializes in the sale and distribution of Android-focused cyber crime tools—including malware, phishing kits, ransomware, and spyware. Instead of carrying out attacks directly, Sisurya operates as a service provider, offering its tools to other cyber criminals. These clients customize and distribute the malware, often disguising it as games, utilities, or system updates and spreading it through social media, messaging apps, and other unofficial channels.

F-Secure first identified Sisurya’s activity through the analysis of a screenlocker APK sample detected in our telemetry. This malware exploited the SYSTEM_ALERT_WINDOW permissions to simulate Android device locking and extort victims. Further investigation uncovered a broader ecosystem of criminal activity operated by the syndicate.

In this article, F-Secure researcher Apramey Bhat provides an in-depth look at Sisurya’s operations, mapping its tactics against the F-Secure Scam Kill Chain. The analysis includes technical insights into its tools and behaviors, along with recommendations for defending against mobile malware threats.

Understanding Sisurya’s Malware-as-a-Service Model

At the core of Sisurya’s offering is a set of malicious Android applications:

• SurxRAT APKs: Full-fledged mobile control panel used by threat actors to remotely manage infected devices via an integrated dashboard, providing access to SMS, call logs, files, photos, audio recordings, and other sensitive data.

• Base APKs: Trojanized Android applications designed to be installed on victim devices, often disguised as games, utilities, or system updates. These base APKs request extensive permissions and, once granted, silently connect the infected device to the attacker’s SurxRAT control panel, enabling remote access to personal data, device functions, and continuous spyware activity.

• MT Manager (MTManajer) APK: An APK editing tool included in the Sisurya package, MT Manager is not developed by the group itself but is provided to buyers for customizing base APKs such as changing app icons, modifying embedded App IDs to point to SurxRAT infrastructure, editing ransom messages, and re-signing the apps for deployment.

Sisurya distributes and sells these kits along with credentials to access the SurxRAT dashboard to other threat actors through WhatsApp, Telegram channels, and their own online marketplace.

To support their buyers, the group even provides detailed video tutorials explaining how to use tools like MT Manager to tailor base APKs to their specific needs, making the process accessible even to relatively inexperienced operators. The group's backend infrastructure relies heavily on Firebase services, making direct interception and analysis challenging for analysts without valid SurxRAT credentials.

Payment and distribution process

Sisurya continuously shifts its communication channels and employs WhatsApp chatbots to automate the purchase and distribution process. Prices for credentials and malware kits range between 30,000 Indonesian Rupiah (IDR)—approximately €1.6—and 300,000 IDR (~€16), with profit-sharing models typically favoring the buyer (80%–20% split), though full ownership options exist for higher-tier purchases.

Through this distribution model, Sisurya lowers the barrier to entry for mobile cyber crime, enabling a wider pool of less tech-savvy threat actors to launch phishing, extortion, and spyware campaigns against unsuspecting Android users.

Backend infrastructure and payment flow

Victim communications and data flow through Firebase services operated by Sisurya. The traffic is encrypted and access to the admin dashboards is secured with password protection, limiting visibility to anyone without valid credentials. Payments for SurxRAT kits, Base APKs, and credentials are typically made through Indonesian e-wallet and mobile banking apps, with transactions routed to accounts at Nobu Bank, a privately owned commercial bank based in Indonesia.

Profit models and threat actor incentives

Sisurya generally operates a profit-sharing model where the secondary threat actors deploying the malware-as-a-service retain 80% of proceeds from their campaigns, while Sisurya keeps a 20% cut. Alternatively, purchasing higher-tier packages grants full ownership and control over the malware, allowing actors to retain 100% of their illicit earnings.

How Threat Actors Use and Profit from Sisurya’s Model

Sisurya has built a streamlined and highly accessible model for enabling mobile cyber attacks. Their ecosystem provides everything a threat actor needs, from ready-made malware kits to customization tutorials, significantly lowering the technical skill required to operate sophisticated phishing and ransomware campaigns. The workflow below outlines how attackers can acquire, customize, distribute, and ultimately profit from Sisurya’s malicious tools.

1. Purchasing SurxRAT kits and Base APKs

The Sisurya operation begins when another threat actor purchases a SurxRAT phishing kit along with login credentials from Sisurya’s online store, WhatsApp, or Telegram channels. Alongside access to the SurxRAT admin dashboard, the actor also receives different varieties of Base APKs. These are usually lightweight Android applications such as simple games, utility tools, or basic remote access apps, all intended to serve as carriers of the malicious payload.

2. Customizing using MT Manager

Before deployment, the Base APKs must be customized. Sisurya provides detailed tutorials on using the MT Manager app to modify the APKs. Threat actors are instructed to edit key fields such as the App ID (linking the app to their SurxRAT backend), change app names, icons, ransom demand texts, and then re-sign and rebuild the APKs to make them ready for distribution to victims. Notably, the entire process can be completed within the Android system itself, without requiring a PC, making the malware deployment process easy to access for threat actors.

3. Distributing to victims

After customization, the malicious APKs are distributed using social engineering tactics or channels preferred by the operators. These apps are often disguised as legitimate software—such as games, utilities, or system updates—to trick users. Distribution typically takes place via social media, messaging platforms, phishing emails, or unofficial app stores, all designed to lure victims into installing the malware.

4. Infection and device enrollment

When a victim installs one of the malicious apps and grants the requested extensive permissions, such as SMS access, file system control, microphone recording, and screen overlays, the device automatically connects back to the attacker’s SurxRAT dashboard. The infected device then appears in the attacker's admin panel, granting full control over the victim’s data and certain device behavior.

5. Monetization and exploitation

Once a device is infected, threat actors can monetize their access through several methods. They may steal personal data, launch ransomware-style attacks by persistently displaying a ransom note or changing the device wallpaper to show a demand, or spy on the victims using tools like the Eavesdropping APK.

This tool captures images through the device’s front camera, which are then used to craft threatening emails falsely claiming the victim was caught engaging in inappropriate behavior. In some cases, the stolen images and data are leveraged for targeted extortion.

Technical Analysis: How Sisurya Base APKs Exploit Devices

The following analysis is based on code snippets extracted from one of the Sisurya Base APKs, obtained through our telemetry and decompiled via static analysis. This particular sample represents a core malware component used by the Sisurya group and illustrates how they exploit victim devices.

The decompiled code reveals sophisticated techniques for data exfiltration, device control, and stealth operation—demonstrating how this Indonesian threat actor develops, distributes, and monetizes its Android malware ecosystem using Firebase-backed infrastructure.

Android Manifest analysis

The first step in our static analysis was examining the Android Manifest file, which revealed an extensive set of permissions requested by the malware.

These permissions provide the foundation for Sisurya's exploitation capabilities:

1. System Control

• REQUEST_INSTALL_PACKAGES/REQUEST_DELETE_PACKAGES: Ability to silently install and remove apps

• MANAGE_EXTERNAL_STORAGE: Complete control over files (beyond basic read/write)

• ACCESS_SUPERUSER: Root access when available (extremely dangerous)

• SYSTEM_ALERT_WINDOW: Overlay screens for phishing or screen locking

• REQUEST_IGNORE_BATTERY_OPTIMIZATIONS: Prevents device power-saving from killing the malware

2. Surveillance

• SMS permissions for intercepting verification codes and messages

• Contact and call log access for relationship mapping

• Audio recording for environmental surveillance

• Camera access for capturing images without user knowledge

• Location tracking for physical monitoring

• FOREGROUND_SERVICE_MEDIA_PROJECTION: Screen recording capabilities

3. Persistence

• WAKE_LOCK: Keeps the device awake to perform operations

• FOREGROUND_SERVICE: Maintains operation even when app is backgrounded

Firebase-based command and control

Sisurya relies heavily on Firebase for their command and control (C2) infrastructure, as evidenced by the configuration strings found in their malware.

This Firebase infrastructure can potentially enable the malware to:

• Store and update command instructions for infected devices

• Exfiltrate sensitive data from victims

• Maintain persistent communications with minimal detection

• Leverage Google's reliable infrastructure rather than setting up custom servers

Extensive data exfiltration capabilities

The code analysis reveals sophisticated data exfiltration mechanisms targeting virtually all personal data on victims' devices:

1. Email account harvesting

• The following code snippet systematically collects all email accounts registered on the device, then processes them into a specially formatted string with unique identifiers and formatting.

• The harvested data is structured with "GMAIL/" prefixes and numerical indexing (e.g. "GMAIL/1 ~ user@gmail.com").

  

2. SMS interception

• The malware implements continuous SMS monitoring through a persistent timer mechanism. The following code sets up a real-time SMS interception system that captures the sender address and message content of incoming messages.

• The malware establishes a background process that checks for new messages every 500 milliseconds and continues this monitoring indefinitely through the message processing loop. The high-frequency polling (twice per second) enables the malware to capture time-sensitive messages such as one-time passwords and authentication codes almost immediately after they arrive.

• When new messages are detected, they're automatically uploaded to the Firebase backend, giving attackers access to potentially sensitive verification codes, personal communications, and financial notifications.

3. Media file extraction

• This code handles the recursive exfiltration of media files from the device. After a file is successfully uploaded, this callback creates a record in Firebase with metadata including a Google Drive link, device IP, and a unique key.

• It then automatically advances to the next file in the target list, reads and Base64-encodes its content, and initiates another upload to a Google Apps Script endpoint. This systematically transfers all targeted media files to the attacker's storage.

4. Covert audio recording

• The audio recording functionality is particularly invasive. The malware first creates a hidden directory, denoted by a folder name that begins with a dot (.), a convention in Unix-based systems like Android to make directories invisible in standard file explorers.

• It then configures a MediaRecorder targeting the device microphone (audio source 1) and prepares to record in a basic 3GPP format with AMR audio encoding. The recording is stored as "devsisuryaofficial.mp3" in the hidden directory.

• The code schedules the recording to begin after a 1-second delay, and based on timer configurations elsewhere in the code, recordings typically last for 30 seconds. Once complete, the audio file is automatically uploaded to Firebase Storage.

Remote control capabilities

The SurxRAT administration panel provides operators with extensive remote control capabilities over infected devices. Analysis of the Base APK reveals the underlying command-handling architecture that establishes this bidirectional control channel between the threat actor's dashboard and compromised devices. This command interpretation system enables operators to execute a wide range of actions remotely.

1. Command execution system

• The command execution system enables threat actors to exercise extensive control over compromised devices.

• Operators can remotely toggle the flashlight, trigger device vibration, play sounds through the speaker, change the device wallpaper, display toast messages on screen, utilize text-to-speech to make the device speak, and even initiate phone calls to specified numbers.

• This comprehensive suite of remote capabilities transforms the victim's device into a fully controllable tool for the attacker, facilitating both covert surveillance and overt harassment.

  

2. File system management

• The malware enables complete control over the victim's file system. This allows operators to browse, download, delete, and upload files on the victim's device at will.

  

Stealth techniques

Sisurya's malware employs multiple stealth mechanisms to evade detection.

1. App icon hiding

• The malware hides itself from the user's app drawer immediately after installation. The constant ‘2’ represents COMPONENT_ENABLED_STATE_DISABLED, effectively removing the app icon while allowing the malware to run in the background.

  

2. Background service persistence

• The following code snippet highlights two common techniques used by Android-based spyware to maintain persistence and gain deep access to user data.

• First, it launches a foreground service, which allows the app to continue running in the background with higher priority, making it less likely to be terminated by the system. This is a typical tactic used by malicious apps to stay active without raising suspicion.

• Following that, the code aggressively checks for and requests a series of dangerous permissions—including access to SMS messages, contacts, call logs, external storage, and location.

• If any permission is not granted, the app immediately prompts the user to allow it, effectively creating a loop of continuous permission requests until all required access is obtained. This behavior is designed to pressure users into enabling full spying capabilities without understanding the risks.

Device identification and tracking

The malware collects extensive device information to uniquely identify each victim. The following code snippet of the malware is dedicated to collecting detailed fingerprinting data from infected devices, allowing the attacker to uniquely identify and track victims. 

Upon receiving a response from a remote IP geolocation service, the app parses and displays the victim's public IP address, then builds a comprehensive data structure containing device and user metadata. This includes information such as the IP address, battery level, device manufacturer, model, operating system version, language settings, Gmail accounts, SMS logs, and call logs.

All of this is aggregated into a map and pushed to the attacker’s Firebase backend. Additionally, a separate function collects hardware and system identifiers including the device serial number, build ID, screen resolution, and host details.

 'Display over other apps' abuse

One of the key techniques leveraged by this malware is the abuse of Android’s SYSTEM_ALERT_WINDOW permission, which directly corresponds to the ‘Display over other apps’ setting in the device’s permissions manager. Once this permission is granted, the app can create overlays that sit on top of all other applications, effectively hijacking the user interface.

The code defines a function that sets up a floating view using TYPE_APPLICATION_OVERLAY (value 2010), a system-level window type that enables persistent, screen-wide overlays. When combined with touch-blocking flags or full-screen views, this capability is commonly used to simulate fake system dialogs, lock screens, or ransom notes, trapping users and preventing normal device interaction.

Mobile Malware Is Evolving—Here’s How to Stay Ahead

The Sisurya threat group exemplifies how mobile malware developers package and sell tools to other cyber criminals—enabling attacks to be carried out regardless of the operator’s technical expertise.

By leveraging APK customization tools like MT Manager and infrastructure backed by Firebase, Sisurya empowers even low-skilled actors to launch complex Android-based campaigns with relative ease. Its phishing kits feature a modular design, persistent services, screen overlay abuse, and detailed device profiling. Combined with aggressive permission harvesting and stealth techniques—such as hiding the app icon after installation—these capabilities make Sisurya’s malware particularly dangerous.

What makes Sisurya’s ecosystem especially concerning is its accessibility. A low cost of entry, flexible payment options via Indonesian mobile banking, and regular support through chatbots and tutorials—plus the ability to deploy malware without a PC—allow cyber criminals to adopt and scale operations quickly. As a result, the barrier to entry for engaging in mobile spyware, extortion, and fraud is significantly reduced.

Tips to protect Android devices from mobile malware

As mobile malware becomes more sophisticated—particularly with scalable threats like those distributed by the Sisurya group—users must take an active role in protecting their devices and data. The following best practices can significantly reduce the risk of infection and exploitation:

• Download apps only from trusted sources, such as the Google Play Store. However, even Play Store apps should be treated with caution—monitor their behavior after installation. Watch for unusual permission requests or suspicious background activity, as some threat actors initially upload benign apps and later push malicious updates.

• Be wary of excessive permission requests, especially those involving SMS, contacts, call logs, location, or screen overlay access. If an app’s purpose doesn’t clearly justify these permissions, deny them or avoid using the app altogether.

• Review app permissions and settings regularly, with particular attention to those granted ‘Display over other apps’ privileges. This permission can be exploited to lock the screen or phish for credentials.

• Check for hidden apps, including those with no launcher icon or misleading names and icons. Some malware hides its presence after installation to avoid detection.

• Use a trusted mobile security solution that can detect malware, flag suspicious permission usage, and monitor device behavior in real time.

Real-time defense against mobile threats

The mobile threat landscape is shifting from isolated malware apps to scalable malware-as-a-service operations like Sisurya. Combating these threats requires more than basic cyber hygiene—it needs layered defenses, proactive detection, and ongoing vigilance.

F‑Secure’s award-winning mobile protection solutions are designed to counter modern threats like Sisurya. With real-time protection, smart permission monitoring, and deep threat visibility, F‑Secure empowers users to stay in control of their devices and safeguard their personal data against evolving mobile attacks.

Additional Details: Framework Mapping

F-Secure Scam Kill Chain mapping

To provide broader context, we’ve mapped Sisurya’s behaviors against the F-Secure Scam Kill Chain—a framework that outlines the sequential stages of a scam operation. This alignment reveals the specific tactics used to gain access to victims and exploit that access for financial gain. By viewing Sisurya’s operations through the lens of the Scam Kill Chain, we gain deeper insight into how its ecosystem supports scalable, persistent, and profit-driven mobile scams.

Reconnaissance

Techniques and behavior:

• Sisurya provides the tools (SurxRAT kits, Base APKs), while secondary threat actors conduct reconnaissance and victim targeting.

• These actors may:

  • Use messaging apps (e.g., WhatsApp, Telegram) to lure victims directly.

  • Share malicious app links on public platforms like Facebook or YouTube.

  • Operate within closed channels or use previously harvested contact lists for targeting.

Development

Techniques and behavior: 

• Acquire infrastructure: Sisurya sets up and maintains Firebase backends, operates SurxRAT dashboards, and utilizes cloud services such as Google Drive and Google Apps Script.

• Software development: The group develops and packages the SurxRAT APKs, Base APKs, and control panels with capabilities for remote access, SMS interception, audio recording, and more.

• Acquire services: Sisurya runs a Malware-as-a-Service (MaaS) operation, selling kits and credentials via Telegram, WhatsApp, and dedicated online marketplaces.

• Create accounts: Telegram and WhatsApp accounts are used to interact with customers and distribute kits.

• Develop the bait: Base APKs (such as fake games or utilities) are used as lures. Buyers customize these APKs by modifying icons, app names, and embedded references to their infrastructure.

Contact

Techniques and behavior:

• Secondary actors using Sisurya’s tools distribute trojanized APKs disguised as legitimate apps.

• These apps are shared via online communities, messaging platforms, and piracy forums to trick users into downloading and installing them.

Persistence

Techniques and behavior: 

• Sisurya’s malware achieves persistence using Android’s foreground services to keep running silently in the background.

• It can survive device reboots and reconnect automatically to the command-and-control dashboard.

• The malware may switch behavior or communication channels based on context, such as redirecting users or interfering with uninstall attempts.

Access

Techniques and behavior: 

• Victim information stolen with malware: The Base APKs function as spyware, collecting SMS, call logs, contacts, location data, microphone recordings, photos, and more.

• Attacks with no interaction with the victim: After installation and permission granting, the malware operates silently, extracting data without needing further interaction from the user.

Exfiltrate

Techniques and behavior:

• C2 channel: Sisurya uses Firebase as its command-and-control backend, transmitting stolen data from infected devices securely.

• Direct access to victim’s device: Attackers gain full remote access to infected devices through SurxRAT, including access to files, screen data, SMS, audio, and more.

Lateral Movement

Techniques and behavior: 

• Spread to victim’s contacts: SurxRAT includes SMS control and spam capabilities that let attackers message the victim’s contacts automatically.

• Compromise victim’s other accounts: By intercepting SMS and verification codes, attackers can reset passwords or gain access to linked services.

• Leverage victim’s access rights: Collected data such as login credentials and tokens may be used to access financial or social media accounts.

Monetization

Techniques and behavior:

• Direct transfer of funds: Victims may be extorted into making payments via mobile banking apps or Indonesian e-wallet services.

• Sale of stolen data: Stolen information such as call logs, messages, or email content can be resold or reused in future cyber attacks.

• Identity theft for further benefits: Personally identifiable information (PII) and account credentials may be exploited to impersonate victims, take out loans, or perform unauthorized transactions.

MITRE ATT&CK framework mapping

The following section maps the observed tactics, techniques, and procedures (TTPs) used by the Sisurya malware ecosystem to the MITRE ATT&CK® framework for Android (v17), highlighting how various capabilities align with standardized adversary behaviors across the mobile threat landscape.

Initial Access

• T1660 – Phishing 

  • Sisurya operators deliver trojanized APKs through phishing methods like social media, messaging apps, and emails.

• T1474.001 – Compromise Software Dependencies and Development Tools 

  • Sisurya supplies MT Manager (a third-party APK editing tool) to repack and customize APKs for malicious use.

• T1474.003 – Compromise Software Supply Chain 

  • Sisurya actors modify base APKs to insert malicious payloads or ransom notes before distributing them.

Persistence 

• T1624.001 – Broadcast Receivers 

  • Sisurya uses RECEIVE_BOOT_COMPLETED to trigger malware execution on device reboot.

• T1541 – Foreground Persistence 

  • Foreground services are used to keep malware running persistently, minimizing detection risk.

 Privilege Escalation 

• T1626 – Abuse Elevation Control Mechanism 

  • Sisurya abuses sensitive permissions granted by users during installation to gain elevated access.

 Defense Evasion 

• T1627 – Obfuscated Files or Information 

  • Uses Base64 encoding and misleading labels to hide intent and data.

• T1628.001 – Suppress Application Icon 

  • Hides the app icon post-installation to reduce visibility and detection.

• T1628.003 – Conceal Multimedia Files 

  • Stores data like images or recordings in hidden folders with obscure names.

• T1629 – Impair Defenses 

  • Requests battery optimization exemptions to avoid being stopped by system settings.

• T1629.001 – Prevent Application Removal 

  • Prevents app removal by blocking access to uninstall settings using overlays and hijacks.

• T1630.002 – File Deletion 

  • Enables remote file deletion to erase traces of activity or evidence.

• T1655 – Masquerading 

  • Base APKs impersonate games or utilities to trick users into installation.

• T1628 – Hide Artifacts 

  • Creates hidden directories (e.g., .HackedBySurya) to conceal operations.

 Credential Access 

• T1517 – Access Notifications 

  • Intercepts SMS messages and OTPs via Android notification access.

 Discovery 

• T1420 – File and Directory Discovery 

  • Scans internal storage to find media and document files for exfiltration.

• T1430 – Location Tracking 

  • Tracks device GPS location and displays it in the attacker's dashboard.

• T1426 – System Information Discovery 

  • Collects OS version, screen resolution, manufacturer, and other device metadata.

• T1422.001 – Internet Connection Discovery 

  • Uses IP geolocation to determine the device’s network and regional exposure.

 Collection 

• T1517 – Access Notifications 

  • Collects OTPs and SMS via notifications silently.

• T1429 – Audio Capture 

  • Accesses the microphone for ambient sound recording.

• T1533 – Data from Local System 

  • Browses and copies media, documents, and other files.

• T1430 – Location Tracking 

  • Repeated use to track user movements or physical presence.

• T1636.002 – Call Log 

  • Extracts and uploads call history.

• T1636.003 – Contact List 

  • Collects saved contacts and their metadata.

• T1636.004 – SMS Messages 

  • Captures and forwards SMS messages to attackers.

• T1409 – Stored Application Data 

  • Accesses application-specific data (e.g., Gmail content).

 Command and Control 

• T1437.001 – Web Protocols 

  • Uses Firebase Realtime DB and Google Apps Script over HTTPS for communication.

• T1663 – Remote Access Software 

  • SurxRAT provides full remote access to infected Android devices.

• T1481.002 – Bidirectional Communication 

  • Enables two-way command and data transfer via Firebase and Google Script.

 Exfiltration 

• T1646 – Exfiltration Over C2 Channel 

  • Victim data (e.g., SMS, audio, contacts, device info) is uploaded through Firebase C2.

 Impact 

• T1616 – Call Control 

  • Access to call logs and ability to forward or control phone calls remotely.

• T1582 – SMS Control 

  • Silently intercepts or sends SMS messages under attacker control.

Indications of Compromise (IoCs)

• https://sisurya[.]site

• base01.apk: e320c9738701b6e5da1c6a071c7242cf1f11d64ed08beab94409928bed3e7cdc

• base33.apk: f75346b6c3ea154180ac4a897ab94b346144fb587e14dcf10332921a1ec0c994

• baseapknew.apk: f3d9472b91ff1d53f2623b0cdca702c3b3445176c690c14f9fcab668599ea92b

• baseffbeta.apk: 33c2ba06fab101671c2c0258508b9f8351da250ffb2b12fbf481f9b39b4524c8

• basepanelff.apk: 9b66c90f4f6f75ca58d73be642bdf50d862e759792e569d461f20e2473201e6c

• onlinesim.apk: e92115b500e0e553006e91b935f9ba1b38589f4662a545ec9659bc666c17da88

• panelpterodactyl.apk: 9987b3bc185b90aefe6687644966fc1085a71abca0057b3e0cd4e68add1c1610

• predikspaceman.apk: f1ba5854be2e3a36fb55071c11471bd97b039f1f7bf4dd3320620648bc4a3a8c

• s33.apk: 951fd8faddf5cdb03bb7e2a61f8c18f881fb5c9b827903730270f1d8d32fdf1d

• surxratprivatenew.apk: 9ca04a3bf06af722b9858830395bcfe7534f07fae1c97d2ae1d4cba7a9d7d551

• surxratv2.apk: a950ded735d1e6c5eff5d0eae6d2473260cc10551f7489525b6c0b991fc53e14