Recently, the EST security team posted a post about fake antivirus malware on the Android mobile platform. According to reports from the Korean media, some people think that there may be a link between this malicious software and the Group 123. In an in-depth study of this association, Talos, in conjunction with his investigation report and the historical background of the 123 organization, identified two variants of the Android Remote Management Tool (RAT): KevDroid and PubNubRAT. Both variants have the same function, stealing information on the infected device (such as contacts, text messages, and phone history) and recording the victim’s phone. In addition, the data for both variants is also sent to the only command and control (C2) server using HTTP POST.
One variant, KevDroid, uses the known Android vulnerability (CVE-2015-3636) to gain root access on a compromised Android device and PubNubRAT (targeted to Windows) is confirmed to be hosted on the command and control server used by KevDroid. This malware specifically uses the PubNub platform as its C2 server. PubNub is a global data flow network (DSN) that allows attackers to use the PubNub API to issue commands to an attacked system.
Talos said that they currently only roughly identified the strategic, technical, and procedural elements that couldn’t reliably determine the true link, and they couldn’t determine the specific link between these variants and the 123 organization.
Read Talos Analysis Report:
Fake AV Investigation Unearths KevDroid, New Android Malware
Source: talosintelligence
