Our Harvester Caught 'android-shadowspy' This Morning. It's One of 44 Android RATs Sitting in Public GitHub Repos — and It's the Same Malware the FBI Says Is Riding the World Cup.

At 08:15 UTC this morning, our GitHub hunting cron did what it does every day — swept a set of high-signal search queries against public repositories with a word-boundary bait regex and a strong false-positive filter — and it pulled in a repo called android-shadowspy, tagged Android RAT. That is not remarkable on its own. What is remarkable is that it is routine. android-shadowspy is the newest entry in a steady, daily stream: across the catches our harvester has indexed, forty-four are Android remote-access trojans of the SpyNote family lineage, twenty-one are Discord token-grabbers, and the rest run through XWorm, loaders, and a handful of cPanel auth-bypass kits. These are not leaked, not hidden, not sold on a forum that takes three referrals to enter. They are sitting in public GitHub repositories with names like SpyNote-RAT-ANDROID and Discord-Mobile-Grabber, available to anyone who can press the green clone button. The malware economy has a self-service tier, and it is hosted on the world's largest code platform.

Here is why we are writing about it today specifically, and it is not the harvester's batting average. It is the connection to a warning the FBI put out this week. We published this morning on the FBI's alert about the 2026 World Cup — four-thousand-plus fake FIFA domains, and banking malware hidden inside pirate streaming apps that overlays fake bank logins, intercepts one-time codes, and drives the screen remotely. That banking malware is an Android remote-access trojan. It is the same category of tool as android-shadowspy and the forty-three other Android RATs our harvester already has on file. The pipeline is not mysterious: a developer clones a SpyNote-derived RAT from a public repo, wraps it in a "watch every match free" APK, and seeds it to fans who sideload it because the official stream costs money and kickoff is in four days. We are catching the upstream end of that pipeline — the staging repository — days or weeks before the same code shows up downstream wearing a soccer jersey. That is what left-of-boom means in practice: not predicting the attack in the abstract, but indexing the raw material while it is still raw.

The mechanism behind the Android RATs is worth understanding because it is the same mechanism in the World Cup streaming malware and in a hundred other lures. SpyNote-family RATs abuse Android's accessibility service — the permission designed to help users with disabilities operate their phones — to do everything a user can do: read the screen, draw fake login overlays on top of real banking apps, capture keystrokes, grab the one-time codes arriving by SMS and authenticator, and execute taps remotely. Once a user grants accessibility access to a sideloaded app — and the app will beg, with a convincing reason — the game is over, because that single permission is functionally root over the user experience. The token-grabbers are simpler and aimed at a different prize: they steal Discord and browser session tokens, which is enough to hijack accounts, pivot into servers, and run the next wave of social-engineering from a trusted handle. Neither of these requires a zero-day. They require a victim who installs something, which is why they bloom around events — a World Cup, a game release, a crypto airdrop — when people are primed to download something exciting from outside the app store.

This is one of our signature moves, and we will name it rather than be coy: a daily automated sweep of GitHub for the bait patterns that ready-made malware uses in its repo names and files, with a false-positive filter strong enough that what lands in the index is signal, written out with full metadata so it feeds our scoring and our STIX feed. It is the same instinct as the exploit harvester that caught three cPanel proof-of-concepts overnight in May — watch where the material stages, not where the press release lands. The forty-four Android RATs and twenty-one token-grabbers are not a one-time haul; they are a running tally that grows by a repo or two most days, which is itself the finding: the supply of ready-to-wrap mobile spyware is continuous, and the platform hosting it is one most defenders implicitly trust.

The protective read, for the World Cup specifically and for mobile hygiene generally. Do not sideload Android apps — the "free stream" APK and the unofficial "tickets" app are the delivery vehicle, and the official app store, for all its faults, is the control that breaks this chain. Treat any app that asks for Accessibility permission with extreme suspicion; a streaming app, a wallpaper app, a flashlight does not need to read your screen and control your taps, and an app that insists is telling you what it is. Assume SMS one-time codes are interceptable in this threat model and use an app-based or hardware key where your bank allows it. For Discord users, the token-grabber wave means a malicious "game mod" or "nitro generator" can take your account without your password, so the same no-sideload, no-sketchy-download rule applies. And for defenders running mobile fleets: our github-hunt indicators feed the free STIX feed, and the staging repos are in the index now, before the wrapped APKs land on your users' phones.

The honest 95%: a repository named like a RAT is proof of staging, not proof of victims — some of these are research, some are abandoned, some are skids posturing, and we tag what the bait pattern catches, not a confirmed campaign behind each one. We also separate the real catches from the noise on our own side: a chunk of what the daily sweep surfaces is our gap-queue probing brand-name lookalikes, which is internal research and not malware, and we do not count it in the forty-four-and-twenty-one. GitHub takes many of these down once reported, so any single repo name may be dead by the time you read this, which is the point of indexing the pattern rather than betting on the URL. What we can tell you is that the supply is daily, the category is the same one the FBI just flagged for the World Cup, and our harvester caught this morning's entry at 08:15 UTC while the rest of the internet was still asleep. The material is public. The net is automated. The jersey comes later.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register