News

Industries

Companies

Jobs

Events

People

Video

Audio

Galleries

My Biz

Submit content

My Account

Advertise with us

There's a RAT in my Android

There is no doubt that malware writers are very adaptable, as evidenced by the rise of remote access tools (RAT) that run multiple operating systems. There is also a trend towards cyber crooks manipulating fully functional apps.
There's a RAT in my Android

Lutz Blaeser, MD of Intact Security cites AndroRAT as a perfect example of this. "The code for this tool has been publicly available for months at GitHub, a hosting service for software development projects, as well as at Google Code."

Management of Android mobile devices

He said AndroRAT began as a university project, designed to enable the legitimate and legal management of Android mobile devices. Because of this, it could be used in the end-point management area or in connection with the BYOD concept. An administrator could manage the installation of apps, manage contact lists and suchlike.

"AndroRAT is user-friendly and easily adapted to user requirements," he adds. However, the down side of this is that malware authors also enjoy its user-friendliness and have jumped on the bandwagon, and found ways to exploit AndroRAT for their own gains.

One example of this is the recently uncovered 'binder' tool that adds a whole new dimension to the RAT threat.

Blaeser says: "When used together with the AndroRAT APK binder, AndroRAT allows even a fairly inexperienced hacker to automate the process of infecting any legitimate Android application with AndroRAT, essentially 'Trojanising' a legitimate app."

Android APK Binder essentially adds another access point to a legitimate app so that, when the device is booted, the "AndroRAT" component and not the legitimate app is opened in the background. From that moment, the device is part of a botnet and the attacker therefore has full control over it, and can read contacts, the call list, SMS and MMS messages, locate the device through GPS - pretty much anything the user can do.

Newly detected malware files

According to Blaeser, the risk for Android mobile devices is on the rise globally, as clearly illustrated by rising detection numbers and the proliferation of newly detected malware files.

He says G Data recently released a half year report on mobile malware, that revealed that the number of new malware samples rose dramatically in the first half of 2013 with 519 095 new malware files compared to 185 210 in the same half of the previous year. "On average, G Data SecurityLabs uncovered 2 868 new Android malware files daily."

"The binder tool is only one example. The rapid growth of malware for mobiles can be attributed at least in part, to the availability of malware kits, which enable even inexperienced malware programmers to create functioning, manipulated apps using a type of modular system."

The report also discussed FakeInstallers, which are chargeable installers for popular programs that send premium SMS messages when executed, costing the device owner a lot of money.

"A wide range of FakeInstallers is available, such as the common Android.Trojan.FakeInstaller9, which has been available for a while. However, although versatile and plentiful, their use is limited, and they are often removed by the phone's owner as they are unnecessary for the app."

He said the report revealed that only a few Android.Backdoor.AndroRAT samples have been detected so far, but that G Data is expecting significant developments in this area. One example he cites, is Backdoor Obad.A, a highly sophisticated malware that was first spotted in China this June.

According to the G Data report, the malware exploits three security vulnerabilities for its attacks - a previously unknown vulnerability in the Android operating system, an error in a tool called Dex2Jar and an error in Android's handling of the file AndroidManifest.xml. The latter two aim at making analysis of the malware tricker.

Once a device is infected, the cyber criminal is in full control. Blaeser says Obad.A is particularly devious, as it extremely difficult to remove once it has been installed, and it conducts its business on the sly, invisible to the user.

"Obad.A's functional scope, sophisticated obfuscation of the code and the quick exploitation of vulnerabilities are all considered characteristics of Windows malware." He says this is a clear sign that the future will bring not only more threats for Android, but threats that are more sophisticated, elaborate and tricky for security professionals to fight.

Let's do Biz