A Newly discovered Android Remote Access Trojan called AndroRAT targeting unpatched Android Devices that exploit the publicly disclosed critical privilege escalation vulnerability and gain some high-level access from targeted Andriod devices.
This Android based RAT have an ability to gain some advance level privileges on any android devices that unpatched Remote code execution vulnerability CVE-2015-1805 and inject root exploits.
Root Exploits leads to perform a various malicious task such as silent installation, shell command execution, WiFi password collection, and screen capture.
Basically, RAT’s are abusing many platforms including Android, windows, and macOS by exploiting the critical vulnerabilities that performing on the targeting platform.
How Does this AndroRAT RAT Works
AndroRAT Initially developed as a university project in order to gain the remote access from Android devices but later it abused by cybercriminals and used it for various malicious activities.
Newly discovered AndriodRAT variant posed as a malicious utility app called TrashCleaner which contains an Android exploit.
Initially in distributed via malicious URL that distributing via various sources such as spam and phishing email or social media shares.
Once TrashCleaner runs on the targeting Android devices, its force victim to install the Chinese-labeled calculator app that forced victims to replace the default Android calculator app.
Later RAT will communicate with the command & control server which is controlled by the attacker and performing a various command to steal the user’s sensitive information.
According to TrendMicro, The variant activates the embedded root exploit when executing privileged actions. It performs the following malicious actions found in the original AndroRAT:
- Record audio
- Take photos using the device camera
- Theft of system information such as phone model, number, IMEI, etc.
- Theft of WiFi names connected to the device
- Theft of call logs including incoming and outgoing calls
- Theft of mobile network cell location
- Theft of GPS location
- Theft of contacts list
- Theft of files on the device
- Theft of list of running apps
- Theft of SMS from device inbox
- Monitor incoming and outgoing SMS
Apart from the original features of the AndroRAT, it also performs new privileged actions:
- Theft of mobile network information, storage capacity, rooted or not
- Theft of list of installed applications
- Theft of web browsing history from pre-installed browsers
- Theft of calendar events
- Record calls
- Upload files to victim device
- Use front camera to capture high-resolution photos
- Delete and send forged SMS
- Screen capture
- Shell command execution
- Theft of WiFi passwords
- Enabling accessibility services for a keylogger silently
CVE-2015-1805 patched on 2016 by Google and the unpatched Android devices are still vulnerable to this AndroRAT Remote access Trojan also the device which is not longer receive this security patch also vulnerable to this Android RAT which is still being used by a significant number of mobile users. Trend Micro said.
IOC – SHA256