Pierluigi Paganini August 12, 2013

AndroRAT is just one of the numerous open-source tools that was created and published on the undergroud forums to allow the hack of Android mobile devices.

AndroRAT is an open-source tool that was created and published on the Internet in November 2012, it is a RAT (Remote Access Tool)  for Android OS and exactly as any other RATs, it allows a remote attacker to control the victim. Usually the RATs have a user friendly control panel that makes possible the control of victims, in the same way AndroRAT can control, make phone calls and send SMS messages of infected devices, it is also able to get its GPS coordinates, access to files stored on the handset and activate and use the microphone and camera. The fact that Android OS has increased its popularity has had as consequences an increase of malicious code developed for the Google’s platform, RATs included.

The AndroRAT (Android.Dandro) appeared in the underground since last year, many forums have offered it to respond to the request of cybercrime ecosystem. The first tools created in the black market, dubbed “binders”, easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT.

“The RAT comes in the form of an APK which is the standard application format for Android. When used in conjunction with the AndroRAT APK binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus Trojanizing the app. When the Trojanized version of the legitimate app is installed on the device, the user unsuspectingly installs AndroRAT alongside the legitimate app they intended to install. This allows the attacker to circumvent elements of the Android security model through deception. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.” Symantec reported.

Symantec experts have also spotted a commercial Java RAT named Adwind (Backdoor.Adwind) that already supports multiple operating systems and seems to be in the process of incorporating an Android module based off the AndroRAT open source code.

The Black Hat conference showed this in combination with the AndroRAT APK specifically created binder. With this binder AndroRAT developed a new concept of hacking into Android phones. In the following image is proposed an ad for AndroRat available on the black market, probably the first one offered.

During the last edition of the Black Hat USA conference large space has been dedicated to Android and the related vulnerabilities exploited by hackers, in particular it has been showed that combining AndroRAT with the AndroRAT APK specifically created binder to introduce a new concept of hacking into Android mobile phones.

The hackers at the conference demonstrated that is possible to set-up “a false, rogue cell tower in the near vicinity” of a company executive and using the AndroRAT APK binder they were able spy on conference the executive participates.

The principal problem related to the diffusion of tools such as AndroRAT is that they don’t need a particular expertise to be used by cybercrimanals, a few steps could transform a criminal in a dangerous hacker. Using the AndroRAT with binder an attacker could steal sensitive information from victims and use the handset remotely, following a few operations allowed to ill-intentioned.

• Access to phone call logs
• Spying on victim calls
• Access to handset camera to take a picture
• Capture media messages
• Capture user’s credential for principal services accessed via mobile
• Stole user’s files and documents.
• Geo-localize victims

The role of binders becomes crucial for device infection, using them attackers can package malicious applications such as the AndroRAT tool transforming it in an innocent and a legitimate app such as the popular games Angry Birds and Candy Crush. At this point is sufficient to advertize the fake app on a third-party sites and wait for victims to start the download.

Google is aware of the wave of attacks that is targeting Android OS, it has recently published on its official blog a few suggestions on how to protect user’s mobile devices:

1. Lock your device screen.

2. Protect your phone from suspicious apps. 

3. Locate, ring and wipe a misplaced device.

It’s fundamental to avoid clicking links that lead to third-party sites advertising free apps and is being strongly suggested to install antivirus software. Remember that harmful hacking tools like AndroRAT APK binder, Master Key and DroidWhisper are menacing our security, the message is extended to companies and government agencies … it is emergency.

Pierluigi Paganini

(Security Affairs  Android, AndroRAT, Cybercrime)