Mobile Menace Monday: AndroRAT Evolved

Posted: January 23, 2017 by Nathan Collier
Last updated: January 24, 2017

An increasing amount of mobile malware known as Android/Trojan.AndroRAT has been seen in the wild lately. AndroRAT is a contraction of Android and RAT (Remote Access Tool). This piece of malware is far from new, but has gradually become more evolved over the years.

AndroRAT History

As the story goes (according to its GitHub page), the original AndroRAT was created as a proof of concept by a small team of developers for a University project in 2012. It has two parts: the AndroRAT server which runs on a PC to control infected mobile devices, and the AndroRAT client which is installed onto a mobile device.

With a little Android development knowledge, the AndroRAT proof of concept could be used as a Trojan by taking an existing legitimate APK, decompiling it, adding the AndroRAT client code into the APK, and recompiling the APK. After installing the infected APK onto a mobile device, it can be controlled via the AndrodRAT server which is a simple GUI interface.

Here are just some of the functionalities of AndroRAT:

Collect contacts
Collect call logs
Collect all messages including SMS
Record calls
Location through GPS
Take a picture from the camera
Send a SMS message
Make outgoing calls
Open an URL in the default browser

AndroRAT Binder

Soon after the original AndroRAT was uploaded to GitHub, the malware authors took it a step further and created AndroRAT Binder; an APK builder that adds the AndroRAT client code to any APK. AndroRAT Binder made building infected APKs so easy, that any script kiddie could use it.

Simply add the IP and port used to connect the AndroidRAT server to the client, provide a legitimate APK (most likely from Google PLAY) to repackage with AndroRAT, and build. Once built, the infected APK could be put onto third party markets and/or file sharing sites for unsuspecting victims to install. Considering we have found around 31k infected APKs that used the default settings of the AndroRAT Binder in our Mobile Intelligence System, it seems it caught on like wild fire.

AndroRAT Evolved

The AndroRAT variants we see in the wild today are far from the original open source code uploaded to GitHub back in 2012. Updated coding has improved the functionality, made it more stable, and added obfuscation to deter against detection by malware scanners. With the recent increase of AndroRAT in the wild, I predict the distribution method has greatly improved as well. The old AndroRAT Binder made building an infected APK easier, but still only built APKs one at a time. Most likely new builders have been developed that are capable of automating the process even further; such as bulk building AndroRAT infected APKs using legitimate apps.

The RAT is Always Lurking

AndroRAT client infected APKs run just like the apps they steal, but with added malicious functionality in the background. If an app is popular on Google PLAY, most likely there is an AndroRAT infected version of it somewhere in the wild. For example, here’s some code of an infected Pokémon GO app:

Trapping the RAT

As usual, it’s a cat and “RAT” game between malware developers and malware researchers. They keep putting new variants of AndroRAT out in the wild, we keep detecting them as they emerge. The best way to trap this RAT is to have a good malware scanner installed on your mobile device, and to install apps from reputable stores such as Google PLAY. Stay safe out there!

COMMENTS

Christopher Courtney

I have downloaded several trojans from googleplay one was malware mtk in a San Francisco federal credit union app.Another was in Kaspersky mobile app.The one in Kaspersky was andriod/fobus.x another was in orfox.I think it was SMS.SpyForw Trojan.and others none were found by malwarebytes.out of the four a.v”s I have my only solution was to uninstall.And none including you(malwarbytes) found nor helped removed them.I obviously still have something or things on my phone there are apps listed on google play in my apps section I never downloaded .There are searches I’ve never searched for on was:l.p..rinpartner.com the site says it is a pay per call site.Then eset says that some googlechrome file I never downloaded was safe .I’ve yet tried to find being the whole attempt is futile.I’ve tried to contact you Google and the other worthless a.v’s I have.I have yet to factory reset because of the problems im still having seem that too would be futile.While removing site data in Google chrome where there were some 257lbs keywordblocks preceeded by a 12? Character number when I tried to remove my whole screen goes black and nothing would respond finally my peer button did.Any saying or false suggesting google play is safe is an outright lie goggle play apperently has a high rate of trojan and other malware.I’ll leave it at that because I want to go on more of a rant about google and the entire extortion like a.v industry.
Christopher Courtney

The typos are thanks to my odd acting ,most likely infected auto correct.It should say lp.ringpartner.com.and power button.Also the site data in Google chrome was 257kbs(the amount of data or cookie).116753127keywordblocks.com typing with this thing is annoying. I have to go back and correct every other word.especially on sites like this.
Dj

^^
Dj

Chris I had an insanely similar situation occur to me. It’s almost like you can’t keep up between trying to find the malicious apps and remove them because by the time you find it they’ve already moved onto the next one. I can completely relate. Just remember this at the very least. Why is it that it’s so much harder to defend a network then it is to hack one. Well, that’s because when your doing defense, you have to find all the possible ways they could get in. Every hole, every weak spot, every vulnerability, and then you have to fix it. Where as they only have to find one way, one vulnerability, one weak spot. That’s all it takes. Keep up the good work too and I found it to be refreshing in a way to see that someone agrees with me about Google or rather the android/Google partnership. My advise. If you don’t like malware hunting get an iOS devise. I just only recently caved in but already just in the settings alone it’s a lot more secure. Best of luck and Protonmail rocks.
Christopher Courtney

I don’t know what that is supposed to mean.So, what were you meaning exactly?

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Nathan Collier
Senior Malware Intelligence Analyst

Full time mobile malware researcher, part time endurance mountain bike athlete and world traveler. As nerdy about biking as he is about mobile malware.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS