Friday 27 September 2013

Android Remote Access Trojan AndroRAT is Cheaper and More Dangerous Than Ever

Android Malware
Back in July, we told you about AndroRAT—a remote access Trojan for Android devices that let hackers remotely control every aspect of your phone or tablet. Coupled with another piece of software called a binder, injecting the malicious AndroRAT code into a legitimate app and then distributing the Trojanized version was a snap. Now AndroRAT is back: bigger, more dangerous, and cheaper than ever.
Everything Is Free Now
Originally, AndroRAT was an open-source proof-of-concept that became an actual remote access Trojan. That's bad, but it could be worse. At least it was hard to deliver to victim's phones and notoriously unstable. Bitdefender's senior threat analyst Bogdan Botezatu explained that it was the introduction of an APK binder that truly weaponized AndroRAT. "After you used the APK binder you got a perfect copy for cybercrime," said Botezatu.
Once the malicious code was injected into an app, the resulting infected apps were smaller and more stable than the original AndroRAT. Plus, the Trojanized apps used to deliver AndroRAT—usually cracked games—still worked perfectly.
AndroRAT has always been free and open-source, but the APK binder originally cost $35. Two months ago, Symantec reported only 23 installations of AndroRAT. That is until someone else cracked the binder and posted it for free online. "Look at the irony," said Botezatu. "This tool also got cracked by some other guys who posted it for free."
Infections of AndroRAT sharply increased after the binder application was released for free. Since July, Bitdefender says they've seen 200 infections on devices running Bitdefender's mobile security software. That's only a fraction of the Android using populace, concedes Botezatu. However, he told me that he's seen individuals bragging on forums about AndroRAT botnets with 500 infected phones.
Easy Like Sunday Morning
In addition to being free, AndroRAT is extremely easy to use. In a demonstration, Botezatu showed me the simple point-and-click interface for creating Trojanized apps and for controlling infected devices. With just a few clicks, he showed me all of the data he could access remotely. With a few more clicks, he used an infected device to send SMS messages. I asked him if it was possible to capture video and audio and, sure enough, there was a pull down menu for that.
"Now that these tools are publicly and freely available, we're going to see a huge number of AndroRAT infections," said Botezatu. He expects to see script kiddies, or people with no technial understanding of the tools they're using, driving the spread of infections for now. Mostly, he thinks, to spy on their friends, spouses, and bosses.
Making Money
Most malware has a money-making angle behind it, but right now AndroRAT hasn't been monetized on a huge scale. That's usually the end-goal for Android malware; to exploit the victims in a way that earns the bad guys some cash.
Thankfully, we're not there yet with AndroRAT. "I believe that they are now just experimenting with how well they can spread the malware," explained Botezatu. We've seen similar rumblings with malware like SpamSoldier, which has a lot of potential but hasn't yet taken off. "[I assume] they are doing small time fraud by sending premium SMS, just enough to make money to make money but fly under the radar."
While Botezatu believes that AndroRAT will mostly remain a toy, it is possible that pieces of the software could be broken apart and repackaged into more targeted tools. In fact, Bitdefender experimented with this, creating smaller, stealthier applications that just did one thing—monitor phone calls, for instance. Botezatu said that because AndroRAT is written with Java it could be "easily integrated into basically anything," perhaps even combined with the notorious Android Master Key exploit.
But that's not the future he sees for AndroRAT." For guys who actually know how to code a piece of malware, they're going to go for their own in-house application."
Staying Safe
Though AndroRAT is scary, it's pretty easy to avoid getting infected. Even though AndroRAT can be bound to any application, victims still have to enable sideloading on their device, download the Trojanized app, and install it.
And while being available for free has meant that just about anyone can churn out Android malware, it also means that AndroRAT is extremely well understood and documented by security companies. Using either avast! Mobile Security & Antivirus, our Editors' Choice for free Android anti-malware, or Bitdefender Mobile Security and Antivirus, our Editors' Choice for paid Android anti-malware, should keep you safe.
Despite this, people will still get infected. Botezatu chalked at least part of this up to Android's cryptic warnings about app permissions. After years of developing for Android, he said that even he doesn't understand what some of those warnings mean.
But most infections will be people who are willing to download cracked versions of for-pay apps—generally games, which are the most popular method for spreading malicious software on Android. "AndroRAT works only because people do not take the same approach on security on their mobile phone as they do on their computer," said Botezatu.
Malware still isn't as prevelant for mobile devices as it is for desktops, but AndroRAT is a sobering reminder that the dagers are out there.

No comments:

Post a Comment