Android RAT can Take Control

Thursday, August 14, 2014 @ 05:08 PM gHale

A Remote Access Trojan (RAT) for Android can integrate malicious functionality in legitimate apps, allowing the attacker to control functions of the device, such as camera, GPS and microphone, researchers said.

The RAT is going out via multiple channels, ranging from websites sharing pirated content to social networks.

APT: In Action for Six Years
IoT Devices Vulnerable to Attacks: Report
Spam Indicates Security Vulnerabilities
Organizations ‘More Vulnerable Than They Think’

The malware authors have slipped the Android version of Unrecom RAT into legitimate apps, said researchers from security provider ESET. This means the threat looks like valid software, preserving some of the original functionality, but it ends up packed with malicious features.

The sample they analyzed is Android/Spy.Krysanec and is in modified versions of apps for mobile banking (MobileBank, used to access Russian Sberbank accounts), monitoring data usage (3G Traffic Guard), as well as their own ESET Mobile Security.

“Quite often the legitimate functionality is present, but with a malicious aftermarket addition – the very essence of a Trojan horse. And quite often the application purports to be a cracked version of a popular paid application – so the danger is greater on less-than-trustworthy app stores and forums – but this is certainly not an indisputable rule,” said ESET malware researcher Robert Lipovski in a blog post.

Krysanec is modular in architecture and can execute different plug-ins downloaded from the command and control server, which researchers found hosted on a domain of the No-IP dynamic DNS provider.
On its list of capabilities are taking photos, recording audio using the device’s microphone, locating it via GPS, retrieving the list of installed apps, exfiltrating the list of calls, the contacts and short text messages sent through SMS or Whatsapp.

While people have heard this before, they can remain protected by not downloading apps from unreliable sources. Lipovski said the software in official markets provides countermeasures against the changes by signing them with the developer’s certificates, and the variants impersonated by Krysanec did not include valid certificates.

Leave a Reply

You must be logged in to post a comment.