‘Darkshades’ is a RAT (Remote Access Trojan) that targets Android devices. It enables criminals to steal contacts, track location accurately, exfiltrate live SMS/MMS, grab card credential, capture screenshot, encrypt files and initiate DDOS attacks. Compared to other RAT families that are spread through Google Play apps, or third-party tools, the infection vector of this family of RATs does not have a stable infection strategy. Consequently, despite extensive functionality, Darkshades has kept a low profile: On Twitter it has been mentioned twice since 2017, and by the end of 2019 only two samples had been identified in the wild. Despite this, Avira found a sample in March 2020. In this blog, Bogdan Anghelache, threat researcher of the Android Detection Team at Avira, takes a deep dive into recent Darkshades samples and analyzes how they infect Android devices.