DocSwap Android Malware Removal

DocSwap is a malicious Android application masquerading as a Document Viewing Authentication App. Cybercriminals use it to steal sensitive user data, such as login credentials, private messages, and financial details. The malware executes hidden code to gain full control of infected devices, enabling attackers to spy on victims, steal information, and carry out identity theft or financial fraud.

Threat Summary

Attribute	Details
Name	DocSwap malicious application
Threat Type	Android malware, malicious application
Detection Names	Avast-Mobile (Android:Evo-gen [Trj]), Combo Cleaner (Android.Riskware.FakeApp.aAD), ESET-NOD32 (Android/Spy.Agent.ECE), Kaspersky (HEUR:Trojan-Spy.AndroidOS.Agent.amn)
Symptoms of Infection	Slow device performance, system modifications, increased data & battery usage, unauthorized apps, intrusive ads, browser redirections
Damage	Stolen private messages, login credentials, identity theft, financial fraud, data loss, high battery consumption
Distribution Methods	Fake Document Viewing Authentication App, third-party app stores, phishing messages, malicious ads
Danger Level	High (Steals sensitive data, enables full device control)

How DocSwap Works

Upon installation, DocSwap decrypts a hidden APK file that loads and executes a malicious DEX file. The malware employs a modified version of LoadedApkPlugin, an open-source project, with XOR encryption to evade detection.

Key Malicious Activities

• Keylogging: Uses Android’s accessibility services to record keystrokes.
• File Transfer: Sends and receives files through network sockets.
• Camera & Microphone Access: Can remotely activate the camera and record audio.
• Permission Abuse: Requests access to call logs, contacts, SMS, and storage.
• Persistent Execution: Runs a hidden service that restarts after reboot.
• Over 50 Commands Executed: Allows attackers to fully control the device.

How to Remove DocSwap Malware

If you suspect your device is infected, follow these steps to remove the malware safely:

Step 1: Boot Into Safe Mode

1. Press and hold the power button.
2. Tap and hold “Power Off” until the “Reboot to Safe Mode” option appears.
3. Select OK to boot into Safe Mode.

Step 2: Uninstall Suspicious Apps

1. Go to Settings > Apps > Installed Apps.
2. Look for any suspicious or recently installed apps.
3. Tap the app and select Uninstall.

Step 3: Remove Device Administrator Permissions

1. Go to Settings > Security > Device Administrators.
2. Find DocSwap or unknown applications with admin access.
3. Disable them and uninstall.

Step 4: Scan Your Device With Anti-Malware Software

Use a trusted anti-malware app like SpyHunter to detect and remove threats.

Step 5: Clear Cache and Reset Permissions

1. Go to Settings > Storage > Cached Data and clear it.
2. Reset app permissions in Settings > Apps > Reset App Preferences.

Step 6: Factory Reset (If Needed)

If the malware persists, back up your data and perform a factory reset:

1. Settings > System > Reset > Factory Data Reset.
2. Confirm reset and wait for the process to complete.

How to Prevent Future Infections

• Download apps only from Google Play Store. Avoid third-party app stores.
• Check app permissions. Avoid apps asking for unnecessary permissions.
• Use mobile security software. Regularly scan for threats.
• Avoid clicking on suspicious links. Be cautious with messages containing download links.
• Enable Google Play Protect. It helps detect harmful apps.

Conclusion

DocSwap is a highly dangerous Android malware designed to steal sensitive user data and grant attackers full control of infected devices. To protect yourself, follow the removal guide, avoid untrusted sources, and use security tools to detect malicious threats. If you suspect your device is compromised, act immediately to prevent data theft and security breaches.