Friday, October 4, 2024
HomeCVE/vulnerabilityAndroRAT - A Remote Access Trojan Compromise Android Devices and Inject Root...

AndroRAT – A Remote Access Trojan Compromise Android Devices and Inject Root Exploits

Published on

A Newly discovered Android Remote Access Trojan called AndroRAT targets unpatched Android Devices that exploit the publicly disclosed critical privilege escalation vulnerability and gain some high-level access from targeted Andriod devices.

This Android-based RAT has the ability to gain some advanced level privileges on any Android devices that unpatched Remote code execution vulnerability CVE-2015-1805 and inject root exploits.

Root Exploits lead to performing various malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.

- Advertisement - EHA

Basically, RATs are abusing many platforms including Android, windows, and macOS by exploiting the critical vulnerabilities that performing on the targeting platform.

Also Read: Android Rat – TheFatRat to Hack and Gain Access to Targeted Android Phone

How Does this AndroRAT RAT Works

AndroRAT was Initially developed as a university project in order to gain remote access from Android devices but later it was abused by cybercriminals and used for various malicious activities.

A newly discovered AndriodRAT variant posed as a malicious utility app called TrashCleaner which contains an Android exploit.

Initially in distributed via malicious URLs were distributed via various sources such as spam and phishing email or social media shares.

Once TrashCleaner runs on the targeting Android devices, it forces victims to install the Chinese-labeled calculator app that forced victims to replace the default Android calculator app.

Once this Malicious calculator app will be installed on the victim’s device, the Trashcleaner app will disappear from the infected Android devices and RAT will be activated from the background.

Later RAT will communicate with the command & control server which is controlled by the attacker and performs various commands to steal the user’s sensitive information.

According to TrendMicro, The variant activates the embedded root exploit when executing privileged actions. It performs the following malicious actions found in the original AndroRAT:

  • Record audio
  • Take photos using the device’s camera
  • Theft of system information such as phone model, number, IMEI, etc.
  • Theft of WiFi names connected to the device
  • Theft of call logs including incoming and outgoing calls
  • Theft of mobile network cell location
  • Theft of GPS location
  • Theft of contacts list
  • Theft of files on the device
  • Theft of list of running apps
  • Theft of SMS from device inbox
  • Monitor incoming and outgoing SMS

Apart from the original features of the AndroRAT, it also performs new privileged actions:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to the victim’s device
  • Use the front camera to capture high-resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a keylogger silently

CVE-2015-1805 was patched in 2016 by Google and the unpatched Android devices are still vulnerable to this AndroRAT  Remote access Trojan also the device which is no longer receives this security patch is also vulnerable to this Android RAT which is still being used by a significant number of mobile users. Trend Micro said.

IOC – SHA256

  • 2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f
  • fde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced
  • 2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7
  • 909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

CISA Warns of Four Vulnerabilities that Exploited Actively in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about four critical vulnerabilities currently...

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...