AndroRAT: New Android malware strain can hijack older phones

Haythem Elmir

An Android trojan that started out as an open-source project has been updated to allow hackers to gain access to virtually all data on infected devices.

Silent installation, shell command execution and the collection of credentials, Wi-Fi passwords and screenshots are just some of the capabilities of AndroRAT, which exploits CVE-2015-1805, a Linux kernel vulnerability that was publicly disclosed in 2016.

While newer Android devices can be patched against attacks exploiting the vulnerability, Google’s lack of support for older devices means many remain vulnerable to attacks designed to gain additional privileges on the phone.

The new variant of AndroRAT is disguised as an app called ‘TrashCleaner’ and researchers at Trend Micro say it’s distributed via a malicious URL — indicating that this threat comes from third-party download sites or phishing attacks.

« There is a good chance the URL could have been delivered through an ‘in-app’ advertisement in another app such as a popular game, » Bharat Mistry, principal security strategist at Trend Micro told ZDNet.

« Spear phishing campaign through email could also be a viable vector, as most people are using their mobile devices email. »

If downloaded and installed, TrashCleaner will then prompt the Android device to install a Chinese-labelled calculator app with a logo which looks similar to the standard Android calculator.

At the same time, the TrashCleaner icon is removed from the UI of the infected device and the RAT is activated in the background. It appears that the attackers are relying on users not being suspicious of an app they’ve just downloaded installing an additional app then disappearing.

Once active on a device, AndroRAT is controlled by a remote server, which can perform a wide variety of different actions by activating the embedded root exploit to execute privileged actions.

As a result, AndroRAT is able to record audio, take photos, monitor communications, see the GPS location of the device, steal Wi-Fi names connected to the device and more.

The new version of the malware also comes with additional capabilities, allowing attackers to see all applications installed on the device.

It can also steal browser history from pre-installed browsers, record calls, take photos with the front-facing camera, upload additional files to the device, capture screenshots, abuse accessibility service for the purposes of keylogging and execute shell commands.

AndroRAT — which has been active since 2012 — ultimately compromises the entire device, allowing attackers to see and steal practically every piece of information about the user, massively compromising their privacy, while also putting them at risk of further attacks.

Google did issue a patch for CVE-2015-1805 in March 2016, but those using older devices remain vulnerable.
to read the original article


Laisser un commentaire

Next Post

Hacker Detection Firm Vectra Networks Raises $36 Million

Vectra Networks, a cybersecurity firm that helps customers detect “in-progress” cyberattacks, today announced that it has closed a $36 million Series D funding round, bringing the total amount raised to date by the company to $123 million. The company said the investment would be used to expand sales and marketing, […]