New AndroRAT variant hit Android devices

Recently, Trend Micro detected a new variant of the Android Remote Access Tool (AndroRAT), which researchers have identified as ANDROIDOS_ANDRORAT.HRXC, which can inject root vulnerabilities in existing devices and perform malicious attacks such as silent installation, shell command execution, WiFi password collection and screen capture. This variant of AndroRAT is targeted at CVE-2015-1805, a publicly disclosed vulnerability in 2016 that is a high-risk vulnerability that can be used to elevate permissions and run arbitrary code on vulnerable devices. In fact, A long time ago, was found in the upstream Linux kernel.

RAT attacks have always been a common Windows threat, so it should not be surprising for Android. Take CVE-2015-1805, though it was fixed in April 2014. Unfortunately, however, people underestimated the vulnerability, and by 2016 it was re-used by hackers and could be used to attack the Android operating system. RAT typically exploits the root privileges of a device by exploiting vulnerabilities and then controls the entire operating system. As early as 2012, Trend Micro researchers found that AndroRAT was originally a project developed at a university lab, intended to be developed as an open source client or server application that provides remote control of the Android system, which Will naturally attract cybercriminals.

This new variant of AndroRAT disguises itself as a malicious utility called TrashCleaner, which may have been downloaded via a malicious URL. When TrashCleaner first runs, it prompts the Android device to install a Chinese-labeled calculator application similar to a pre-installed system calculator. At the same time, the TrashCleaner icon disappears from the device’s user interface and activates the RAT in the background.

Configurable RAT services are controlled by the remote server, which means that attackers may issue remote commands to trigger different malicious behaviors in real time. When executing a privileged operation, this variant activates the embedded root attack. At this point it will perform the following malicious actions in the original AndroRAT:

• Record audio
• Take photos using the device camera
• Theft of system information such as phone model, number, IMEI, etc.
• Theft of WiFi names connected to the device
• Theft of call logs including incoming and outgoing calls
• Theft of mobile network cell location
• Theft of GPS location
• Theft of contacts list
• Theft of files on the device
• Theft of list of running apps
• Theft of SMS from device inbox
• Monitor incoming and outgoing SMS

Apart from the original features of the AndroRAT, it also performs new privileged actions:

• Theft of mobile network information, storage capacity, rooted or not
• Theft of list of installed applications
• Theft of web browsing history from pre-installed browsers
• Theft of calendar events
• Record calls
• Upload files to victim device
• Use front camera to capture high-resolution photos
• Delete and send forged SMS
• Screen capture
• Shell command execution
• Theft of WiFi passwords
• Enabling accessibility services for a keylogger silently

Google CVE-2015-1805 was patched in March 2016 but has not been upgraded or some older devices may be affected by this new AndroRAT variant, but unfortunately, there are still a large number of mobile users still using it The older version of Android, these versions may still exist CVE-2015-1805.

Mitigation measures

Users should avoid downloading applications from third-party application stores to avoid being compromised by attacks such as AndroRat. When it comes to devising security, users should try their best to download from the legitimate app store. In addition, periodic updates to the device’s operating system and applications can also reduce the risk posed by new exploits.

Google said this new malicious variant of the app has not been released on Google Play so far and they have included CVE-2015-1805 testing in their security tests. Ideally, any devices started or updated after April 2016 will not be affected.

Indicators of Compromise (IoCs)

Source: TrendMicro