Android RAT Looks Like Netflix App

Friday, January 27, 2017 @ 04:01 PM gHale


There is a Netflix app going out in Android third-party app stores that is a powerful RAT, researchers said.

The app looks solid, because it uses the same icon as the legitimate Netflix app.

RELATED STORIES
Shamoon 2 Active in Middle East
Blackhat: Recovering from Shamoon
Shamoon Hits Saudi Aviation Unit
SF Metro Victim of Ransomware

But once it ends up installed on a smartphone or tablet and the victim clicks on it, it vanishes from the home screen, making most users think the app ended up removed because of a glitch, said researchers at Zscaler.

While the user may think it is not there anymore, in fact, it still is.

It turns out the app is a Remote Access Trojan (RAT), based on the SpyNote Android RAT builder distributed on underground hacker forums.

Zscaler researchers said RATs are running amok as there are quite a few of them out there based on the same builder, and they remain hidden in apps posing as popular legitimate apps like WhatsApp, YouTube Video Downloader, Google Update, Hack Wifi, AirDroid, SkyTV, Pokemon GO among others.

“We found that in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild,” Zscaler’s Shivang Desai said in a post.

“The days when one needed in-depth coding knowledge to develop malware are long gone. Nowadays, script kiddies can build a piece of malware that can create real havoc,” he said. “Moreover, there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks.”

In the faux Netflix app, which is a variant of SpyNote RAT, the malware is capable of:
• Activating the device’s microphone and listening to live conversations
• Executing commands on the device
• Copying files from the device to a Command & Control (C&C) center
• Recording screen captures
• Viewing contacts
• Reading SMS messages



Leave a Reply

You must be logged in to post a comment.