A real-world incident analysis — March 2026

My son is very much into Roblox. It's a game with a big focus on rewards, endless grinds, and therefore screen time. It's a mixed age gaming platform obviously also attracting bad guys. My son, tired of the grinding, wanted to bypass some of it and get some cheat codes. He found a free tool that promises to unlock features in a game. Within minutes of downloading the tool, his phone sent hundreds of SMS messages resulting in the provider (luckily!) blocking his sim card.

How It Started

It started with downloading a Roblox executor — a third-party tool used to run unauthorised scripts inside Roblox. These are never on the Google Play Store. You have to find them on sites like delta-executor, deltaaxecutor, or deltaexploits, enable "Install from unknown sources" in Android settings, and sideload the APK yourself.

This was obviously the first mistake. Disabling that protection imeans disabling the primary barrier Android uses to prevent exactly what happened next.

The First Hour

Within the infection window, the phone did the following without any user interaction:

Downloaded secondary payloads. The executor APK was a dropper. It reached out to d.marraheltin.com and cassiuscabal.com — malware staging servers — and pulled down additional applications including "MegaPlay" and "Swing Robber", neither of which are legitimate apps.

Registered as a Tailscale node. The malware opened the browser, navigated to login.tailscale.com, and completed a Google SSO flow using the device's existing authenticated Google session — the user was already signed into Google in the browser, so the consent happened silently or with minimal interaction. The device was enrolled into a Tailscale network — almost certainly the attacker's. Tailscale is a legitimate VPN mesh product. Attackers abuse it because it creates an encrypted tunnel that bypasses most firewalls and looks like normal traffic. The phone was now remotely accessible as long as it had internet.

Exfiltrated data to a C2 server. The browser history showed calls to defensebarefoot.com/api/users?[token] — a structured API endpoint that received device data. What exactly was sent we cannot confirm without server-side logs, but standard data collection for this malware type includes: contact list, SMS history, device identifiers (IMEI, phone number), installed app list, and stored credentials.

Attempted credential harvesting. The device visited bjtn133ckanrgje08skeu.mymobiles.info — a page titled "Verificatie" (verification), a known phishing infrastructure domain. In this case the user did not interact with the page, so no credentials were entered.

Launched an SMS spam campaign. Approximately 380 SMS messages were sent in under a minute — 19 recipients per message, around 20 batches. The destination numbers spanned the Middle East, Russia, Malaysia (+60), the US/Canada (+1), and the UK (+44). Crucially, these were not the phone owner's contacts — this was the attacker's own target list, fed to the phone as a payload. The phone was operating as a node in a commercial SMS spam botnet. This is an important distinction from malware families like Flubot that spread by spamming the victim's own contacts: this malware was being used purely as a paid SMS delivery mechanism.

The carrier detected the anomalous SMS traffic and blocked the SIM. A notification arrived approximately 14 hours later.

The Investigation

Before wiping, we documented the browser history and identified the following infrastructure:

Domain Role
delta-executor.com / deltaaxecutor.com / deltaexploits.gg Initial infection vector
d.marraheltin.com / cassiuscabal.com Malware staging / payload delivery
defensebarefoot.com C2 server / data exfiltration
bs.cateryallodia.click SMS campaign tracking callbacks
bjtn133ckanrgje08skeu.mymobiles.info Credential phishing (not interacted with)
login.tailscale.com RAT C2 via Tailscale tunnel
kitelectronico.com Push notification fraud
nocturnalaverage.com / monolexi.com / gloopup.net Redirect / ad fraud chain

Additional domains identified during analysis are not listed above.

The Tailscale authentication was attempted multiple times — visible in the browser history as repeated visits to login.tailscale.com alternating with accounts.google.com Google sign-in pages. The malware was persistent about establishing its remote access channel.

The Google account associated with the device also had an unrecognised "Fandom" OAuth grant that was revoked as a precaution.

We checked the two primary Pi-hole blocklists in use on the network (StevenBlack and Hagezi). 14 out of 16 malicious domains were completely absent from both lists, including all C2 servers and infection vector sites. The phone was on 5G during infection in any case, meaning local network protections were irrelevant — but the gap in blocklist coverage is worth noting for the broader community. All domains have been submitted to the list maintainers.

What Was Compromised

Confirmed: - Google account (OAuth tokens actively used) - SMS sending capability (used for botnet operations) - Device registered in attacker's Tailscale network (remote access established)

High confidence: - Contact list exfiltrated to C2 - Device identifiers and installed app inventory sent to attacker

Ruled out: - Credentials entered on phishing page (user did not interact) - Banking app access (banking app was installed but not opened during infection window)

The Response

  1. Phone placed in airplane mode immediately upon discovery
  2. Google account password changed from a clean device
  3. All Google sessions revoked
  4. Tailscale and Fandom OAuth grants revoked
  5. Browser history documented via photography (4 screenshots preserved)
  6. Domains submitted to VirusTotal, URLhaus, Google Safe Browsing, and blocklist maintainers
  7. Incident reported to carrier, police (aangifte), and NCSC
  8. Forensic analysis via ADB (manual extraction) and MVT (IOC cross-reference, Android module) performed before factory reset — note: MVT's Android capabilities are limited compared to its iOS support; full findings pending
  9. Factory reset — no backup restored

Lessons

For anyone using Android:

  • Sideloading APKs bypasses every protection Google has built into Android. The Play Store's gatekeeping exists for this reason.
  • "Free" tools that unlock paid features are a near-universal infection vector. The economics are straightforward — someone built the delivery mechanism, someone paid for it.
  • If your carrier blocks your SIM for suspicious activity, don't just get it unblocked. Treat it as a confirmed incident and investigate.
  • Being on mobile data (4G/5G) means your home network protections — Pi-hole, DNS filtering, firewall rules — provide zero protection. Mobile threat management requires a different approach.
  • Before wiping an infected device, document the browser history. It tells you exactly what happened.

Technically:

  • The Tailscale C2 technique is increasingly common in commodity Android RATs. Because Tailscale traffic looks legitimate and the domain is trusted, it evades most network-level detection.
  • The SMS bot behaviour — sending to attacker-controlled number lists rather than the victim's contacts — suggests this malware is monetised through SMS fraud rather than propagation. Someone is paying per message delivered.
  • The multi-stage dropper approach (executor → staging server → secondary payloads) means the initial APK may appear clean to automated scanners. VirusTotal showed only 1/95 engines flagging the distribution domains at time of investigation.
  • The malware family has not been definitively identified. Analysis has been sent to VirusTotal.

All domains identified in this incident have been reported to the relevant authorities and abuse registrars.

Incident date: 9–10 March 2026. Device: Poco F3, Xiaomi HyperOS v10.