Mobile malware analysis for the BBC

PTP analyzed a malicious Android app, **PDF AI:Add-On** (package com.sljnofppc.tcrpyvpaw), likely sideloaded via the Android Package Installer, that abuses Accessibility to persist, block removal, self-grant permissions, overlay/tapjack screens, and monitor user input, with configuration targeting banking apps (notably Barclays and Revolut) and infrastructure including IP 91.215.85.55 linked to a malicious 1.apk. Key capabilities included run-at-startup, wake lock, appear-on-top, package deletion, and potential SMS interaction (write-only observed); while direct SMS abuse wasn’t evidenced on the victim device, PTP assesses with high confidence the app functioned as an Android banking trojan responsible for subsequent fraud.