Mobile RAT Malware on the Scene

A mobile remote access Trojan (RAT) has an expanded capability to gather a large assortment of data.

The RAT, which Lookout security researchers are calling xRAT emanated from the Xsser/mRAT malware.

RELATED STORIES
Mac Malware-as-a-Service Products Found
Exploit Kit Details Discovered
Exploit Kit Learns Fingerprinting
Exploit Attacks Growing, More Effective

The RAT uses a code structure almost identical to that of the mRAT family of malware, said Lookout researcher Michael Flossman in a blog post. It also uses the same decryption key and practical and simple naming conventions that suggest the same actor has developed both of them, he said.
https://blog.lookout.com/xrat-mobile-threat

The command and control (C&C) servers for the new mobile threat are also linked to Windows malware, suggesting that an experienced crime group is operating it.

The xRAT mobile Trojan appears to specifically target political groups and includes capabilities ranging from reconnaissance and information gathering, to detection evasion, antivirus checks, and app and file deletion functionality, Flossman said.

The malware also gathers data from communications apps like QQ and WeChat and allows its operators to remotely control much of its functionality in real time.

On Android devices, the malware can exfiltrate browser history, device metadata, text messages, contacts, call logs, QQ and WeChat data, Wi-Fi access point information, email database and username/passwords, geolocation, list of installed apps, and SIM card information.

It can also provide the remote attacker with a shell, can download/delete attacker specified files, enable airplane mode, list all files and directories on external storage or the content of specified directories, retrieve files of an attacker specified type, search external storage, upload files to C&C, make phone calls, record audio, executes commands as the root user, and can also download a trojanized version of QQ.

To avoid detection, xRAT includes a function to terminate itself and clean out its installation directory before uninstalling itself.

“xRAT appears to specifically target political groups, but it’s also a good example of how much data can be compromised via a mobile device,” Flossman said in his post.

“Enterprises must be prepared for these types of threats that compromise contacts, messaging app conversations, email, Wi-Fi passwords, SIM card information, audio, and text messages,” he said. “Data compromise via mobile presents a significant risk to company-confidential data, and can risk an enterprise’s compliance standing, potentially resulting in hefty fines.”