Inside the Briefcase

How to Best Utilise Analytics in all its Forms

How to Best Utilise Analytics in all its Forms

Analytics is one of the most indispensable tools any...

2016 APM Reference Guide: Application Performance Monitoring

2016 APM Reference Guide: Application Performance Monitoring

IT Briefcase Analyst Report
This product guide allows you to...

IT Briefcase Exclusive Interview: Top IoT Trends and Predictions for Organizations in 2016

IT Briefcase Exclusive Interview: Top IoT Trends and Predictions for Organizations in 2016

with Mike Martin, nfrastructure
In this interview, Mike Martin,...

Unleash the Power of Global Content

Unleash the Power of Global Content

globeYour business depends on pushing accurate and dynamic content...

Clicking Away Your Right to Privacy

Clicking Away Your Right to Privacy

Before using any standard Internet service provider for e-mail...

Remote Access Tool Takes Aim with Android APK Binder

July 17, 2013 No Comments

SOURCE: Symantec

In a previous blog, we talked about the rise of remote access tools (RAT) written in Java that are capable of running on multiple operating systems. With the growing popularity of the Android operating system, it comes as no surprise that the Android OS is the latest target and is not immune to RATs. Since late last year, underground forums have been offering a free Android RAT known as AndroRAT (Android.Dandro). Now, unsurprisingly, the underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT.
figure1 Remote Access Tool Takes Aim with Android APK Binder

Figure 1. A “binder” tool being sold on underground forums advertised as the first binder ever
Back in November 2012, an open source RAT for Android named AndroRAT was published and made accessible to everyone on the Internet. Like other RATs, it allows a remote attacker to control the infected device using a user friendly control panel. For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.
figure2 HL Remote Access Tool Takes Aim with Android APK Binder

Figure 2. AndroRAT’s control panel
The RAT comes in the form of an APK which is the standard application format for Android. When used in conjunction with the AndroRAT APK binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus Trojanizing the app. When the Trojanized version of the legitimate app is installed on the device, the user unsuspectingly installs AndroRAT alongside the legitimate app they intended to install. This allows the attacker to circumvent elements of the Android security model through deception. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.

Subsequently, we have also spotted a commercial Java RAT named Adwind (Backdoor.Adwind) that already supports multiple operating systems and seems to be in the process of incorporating an Android module based off the AndroRAT open source code. Again, this RAT also features a graphical user interface allowing the attackers to manage and control the RAT remotely.
figure3LOB Remote Access Tool Takes Aim with Android APK Binder

Figure 3. Adwind main control panel
A demonstration video that shows Adwind working with Android also shows the presence of AndroRAT on the infected phone, suggesting that the authors of Adwind may be customizing the AndroRAT tool to incorporate it into Adwind. This development comes as no surprise, as the open source nature of the AndroRAT code means it can be easily customized into new threats and tools.
figure4 HL 600pxw Remote Access Tool Takes Aim with Android APK Binder

Figure 4. Screenshot of Adwind video showing AndroRAT’s presence on the infected device
At present, Symantec telemetry shows only several hundred infections of Android.Dandro worldwide, with the United States and Turkey being the most targeted countries. However, the telemetry is reporting a rise in infection numbers as of late, which we expect will continue as both the availability and sophistication of tools for AndroRAT increase.
figure5LOB Remote Access Tool Takes Aim with Android APK Binder

Figure 5. Heat map of infections
The evolution of remote access tools moving onto the Android platform was predicted. While AndroRAT is not showing a particularly high level of sophistication just yet, with the open source nature of its code and with its popularity growing, it has potential to evolve and grow into a more serious threat.

We recommend installing a security app, such as Norton Mobile Security, which detects this threat as Android.Dandro. For general safety tips for smartphones and tablets, please visit our Mobile Security website.

Blogs, Featured Blogs

Leave a Reply

(required)

(required)


ADVERTISEMENT

AnDevCon


American Customer Festival 2016 New York

ITBriefcase Comparison Report

Cyber Security Exchange