AH Virus Malware Piracy Skull Death Samsung logo 1.0

PSA: RAT Malware Snoops on your Data while Hiding in ‘Legitimate’ Android Apps

August 15, 2014 - Written By Peter Holden

Android is the worlds most popular mobile OS, deservedly championed for its versatility and ability to be customized to your heart’s desires, but a topic that seems to rear its head quite often is one of security, whereby nefarious types access your data via the use of exploits or apps that contain malware. Which brings us neatly to the news of a threat called Krysanec that ESET has uncovered, that has the external appearance of being a genuine app, but actually contains a Remote Access Trojan (RAT). ESET’s Robert Lipovsky says “it’s the very essence of a Trojan Horse”.

What is this RAT, and what threat does it actually pose to Android users? Firstly, its an Android variant of the Unrecom RAT, which is a multi-platform tool. When you consider the RAT’s abilities, you could be forgiven for believing that the NSA was behind it. To start with, the RAT accesses your data via a backdoor, proceeding to take photos, check your current GPS location, record audio (and probably video as well seeing as it can access the camera), as well as reading your texts and WhatsApp messages. That’s not all either, because the RAT can also snoop on your call logs, contact list, whatever webpages you have open as well as checking which applications you have installed on your device.  So its definitely more than a little creepy in its habits, and definitely trying to find out as much information about you as possible.

How does the RAT malware find its way on to your device? And why hasn’t Google removed it from the Play Store? Well, to answer the last question first, the apps containing the RAT aren’t present in Google’s Play Store, so you can breath a sigh of relief. In order to enter the Play Store, an app has to be digitally signed with the official developers certificate, its unique for every single developer and in order to receive such credentials, the developer has to register for an account with Google. And even when it has been submitted, it still has to contend with Google’s Bouncer mechanism that scans both new and previously uploaded apps and developer accounts. This safety net gets thrown out of the window when you download an app from an unauthorized site though, with infected apps containing invalid certificates.

As to where you find apps containing the RAT malware, if you are using social media sites, filesharing forums or other un-official sites to download and install your apps from, you have no idea what has been inserted into the app before it reaches your phone. While the app containing the RAT was once the genuine article, almost anyone with a degree of coding experience would find it simple enough to decompile an existing Android app, inserting the RAT and then recompiling the app to distribute to unsuspecting users. If you are frequenting sites that offer cracked versions of paid apps, ask yourself how they make their money? Sure, they may have the odd advert on their site, but the chances are that their real income will be generated by that cracked app you’ve just installed, because if someone has the skill to crack a paid app, then they almost certainly have the ability to insert a few lines of malevolent code into said application.

What sort of applications has the RAT been caught hiding in? It varies, anything from a version of the MobileBank app (Russia’s Sberbank app), 3G Traffic Guard (a data usage monitoring app) and even ESET’s own Mobile Security App. I should emphasise that none of the afore-mentioned applications was downloaded from a reputable source. In some of the cases, the affected app has been caught phoning home to a C&C server that is hosted on the Dynamic DNS provider no-ip.com. You may remember no-ip from its recent brush with Microsoft’s Digital Crimes Unit that attempted to take over 23 of its domains because they were being used to distribute malware. In the end Microsoft were forced to abandon the case because its actions had affected many of no-ip’s innocent users, and also because no-ip were not knowingly involved with the culprits who were abusing their services.

How do you avoid this sort of malware? Well, the first and probably most important step is to ensure that you install your applications from a trustworthy source such as Google’s Play Store or Amazon’s AppStore. Remember to check the permissions of the app you are wanting to install and avoid the dodgy websites that promise free apps or apk’s of the latest game that you know hasn’t even been released yet. If you are in doubt about any of the applications you have already installed on your device, its well worth installing a security software such as ESET’s Mobile Security, or Avast!’s Anti-virus and Security app (there are other reputable security apps available on the Play Store) to check your phone for unwanted lodgers.

Have you been the victim of an app containing malware? If so, where did you get it from and how did you notice it wasn’t the genuine article? Let us know in the comments below or at our Google Plus page.