An increasing amount of mobile malware known as Android/Trojan.AndroRAT has been seen in the wild lately. AndroRAT is a contraction of Android and RAT (Remote Access Tool). This piece of malware is far from new, but has gradually become more evolved over the years.
AndroRAT History
As the story goes (according to its GitHub page), the original AndroRAT was created as a proof of concept by a small team of developers for a University project in 2012. It has two parts: the AndroRAT server which runs on a PC to control infected mobile devices, and the AndroRAT client which is installed onto a mobile device.
With a little Android development knowledge, the AndroRAT proof of concept could be used as a Trojan by taking an existing legitimate APK, decompiling it, adding the AndroRAT client code into the APK, and recompiling the APK. After installing the infected APK onto a mobile device, it can be controlled via the AndrodRAT server which is a simple GUI interface.
Here are just some of the functionalities of AndroRAT:
- Collect contacts
- Collect call logs
- Collect all messages including SMS
- Record calls
- Location through GPS
- Take a picture from the camera
- Send a SMS message
- Make outgoing calls
- Open an URL in the default browser
AndroRAT Binder
Soon after the original AndroRAT was uploaded to GitHub, the malware authors took it a step further and created AndroRAT Binder; an APK builder that adds the AndroRAT client code to any APK. AndroRAT Binder made building infected APKs so easy, that any script kiddie could use it.
Simply add the IP and port used to connect the AndroidRAT server to the client, provide a legitimate APK (most likely from Google PLAY) to repackage with AndroRAT, and build. Once built, the infected APK could be put onto third party markets and/or file sharing sites for unsuspecting victims to install. Considering we have found around 31k infected APKs that used the default settings of the AndroRAT Binder in our Mobile Intelligence System, it seems it caught on like wild fire.
AndroRAT Evolved
The AndroRAT variants we see in the wild today are far from the original open source code uploaded to GitHub back in 2012. Updated coding has improved the functionality, made it more stable, and added obfuscation to deter against detection by malware scanners. With the recent increase of AndroRAT in the wild, I predict the distribution method has greatly improved as well. The old AndroRAT Binder made building an infected APK easier, but still only built APKs one at a time. Most likely new builders have been developed that are capable of automating the process even further; such as bulk building AndroRAT infected APKs using legitimate apps.
The RAT is Always Lurking
AndroRAT client infected APKs run just like the apps they steal, but with added malicious functionality in the background. If an app is popular on Google PLAY, most likely there is an AndroRAT infected version of it somewhere in the wild. For example, here’s some code of an infected Pokémon GO app:
Trapping the RAT
As usual, it’s a cat and “RAT” game between malware developers and malware researchers. They keep putting new variants of AndroRAT out in the wild, we keep detecting them as they emerge. The best way to trap this RAT is to have a good malware scanner installed on your mobile device, and to install apps from reputable stores such as Google PLAY. Stay safe out there!
I have downloaded several trojans from googleplay one was malware mtk in a San Francisco federal credit union app.Another was in Kaspersky mobile app.The one in Kaspersky was andriod/fobus.x another was in orfox.I think it was SMS.SpyForw Trojan.and others none were found by malwarebytes.out of the four a.v”s I have my only solution was to uninstall.And none including you(malwarbytes) found nor helped removed them.I obviously still have something or things on my phone there are apps listed on google play in my apps section I never downloaded .There are searches I’ve never searched for on was:l.p..rinpartner.com the site says it is a pay per call site.Then eset says that some googlechrome file I never downloaded was safe .I’ve yet tried to find being the whole attempt is futile.I’ve tried to contact you Google and the other worthless a.v’s I have.I have yet to factory reset because of the problems im still having seem that too would be futile.While removing site data in Google chrome where there were some 257lbs keywordblocks preceeded by a 12? Character number when I tried to remove my whole screen goes black and nothing would respond finally my peer button did.Any saying or false suggesting google play is safe is an outright lie goggle play apperently has a high rate of trojan and other malware.I’ll leave it at that because I want to go on more of a rant about google and the entire extortion like a.v industry.
The typos are thanks to my odd acting ,most likely infected auto correct.It should say lp.ringpartner.com.and power button.Also the site data in Google chrome was 257kbs(the amount of data or cookie).116753127keywordblocks.com typing with this thing is annoying. I have to go back and correct every other word.especially on sites like this.
^^
Chris I had an insanely similar situation occur to me. It’s almost like you can’t keep up between trying to find the malicious apps and remove them because by the time you find it they’ve already moved onto the next one. I can completely relate. Just remember this at the very least. Why is it that it’s so much harder to defend a network then it is to hack one. Well, that’s because when your doing defense, you have to find all the possible ways they could get in. Every hole, every weak spot, every vulnerability, and then you have to fix it. Where as they only have to find one way, one vulnerability, one weak spot. That’s all it takes. Keep up the good work too and I found it to be refreshing in a way to see that someone agrees with me about Google or rather the android/Google partnership. My advise. If you don’t like malware hunting get an iOS devise. I just only recently caved in but already just in the settings alone it’s a lot more secure. Best of luck and Protonmail rocks.