An Android trojan that started out as an open-source project has been updated to allow hackers to gain access to virtually all data on infected devices.
Silent installation, shell command execution and the collection of credentials, Wi-Fi passwords and screenshots are just some of the capabilities of AndroRAT, which exploits CVE-2015-1805, a Linux kernel vulnerability that was publicly disclosed in 2016.
While newer Android devices can be patched against attacks exploiting the vulnerability, Google’s lack of support for older devices means many remain vulnerable to attacks designed to gain additional privileges on the phone.
The new variant of AndroRAT is disguised as an app called ‘TrashCleaner’ and researchers at Trend Micro say it’s distributed via a malicious URL — indicating that this threat comes from third-party download sites or phishing attacks.
“There is a good chance the URL could have been delivered through an ‘in-app’ advertisement in another app such as a popular game,” Bharat Mistry, principal security strategist at Trend Micro told ZDNet.
“Spear phishing campaign through email could also be a viable vector, as most people are using their mobile devices email.”
If downloaded and installed, TrashCleaner will then prompt the Android device to install a Chinese-labelled calculator app with a logo which looks similar to the standard Android calculator.
At the same time, the TrashCleaner icon is removed from the UI of the infected device and the RAT is activated in the background. It appears that the attackers are relying on users not being suspicious of an app they’ve just downloaded installing an additional app then disappearing.
Once active on a device, AndroRAT is controlled by a remote server, which can perform a wide variety of different actions by activating the embedded root exploit to execute privileged actions.
As a result, AndroRAT is able to record audio, take photos, monitor communications, see the GPS location of the device, steal Wi-Fi names connected to the device and more.
The new version of the malware also comes with additional capabilities, allowing attackers to see all applications installed on the device.
It can also steal browser history from pre-installed browsers, record calls, take photos with the front-facing camera, upload additional files to the device, capture screenshots, abuse accessibility service for the purposes of keylogging and execute shell commands.
AndroRAT — which has been active since 2012 — ultimately compromises the entire device, allowing attackers to see and steal practically every piece of information about the user, massively compromising their privacy, while also putting them at risk of further attacks.
Google did issue a patch for CVE-2015-1805 in March 2016, but those using older devices remain vulnerable.
to read the original article