A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

The new variant included the following additional features:

• Theft of mobile network information, storage capacity, rooted or not
• Theft of list of installed applications
• Theft of web browsing history from pre-installed browsers
• Theft of calendar events
• Record calls
• Upload files to victim device
• Use front camera to capture high resolution photos
• Delete and send forged SMS
• Screen capture
• Shell command execution
• Theft of WiFi passwords
• Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

[adrotate banner=”5″]

[adrotate banner=”13″]