With a little Android development knowledge, the AndroRAT proof of concept could be used as a Trojan by taking an existing legitimate APK, decompiling it, adding the AndroRAT client code into the APK, and recompiling the APK.\u00a0 After installing the infected APK onto a mobile device, it can be controlled via the AndrodRAT server which is a simple GUI interface.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/1-600x320.jpg\")
<\/p>\n
Here are just some of the functionalities of AndroRAT:<\/p>\n
- \n
- Collect contacts<\/li>\n
- Collect call logs<\/li>\n
- Collect all messages including SMS<\/li>\n
- Record calls<\/li>\n
- Location through GPS<\/li>\n
- Take a picture from the camera<\/li>\n
- Send a SMS message<\/li>\n
- Make outgoing calls<\/li>\n
- Open an URL in the default browser<\/li>\n<\/ul>\n
AndroRAT Binder<\/h3>\n
Soon after the original AndroRAT was uploaded to GitHub, the malware authors took it a step further and created AndroRAT Binder; an APK builder that adds the AndroRAT client code to any APK. \u00a0AndroRAT Binder made building infected APKs so easy, that any script kiddie could use it.<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/2.jpg\")
<\/p>\nSimply add the IP and port used to connect the AndroidRAT server to the client, provide a\u00a0legitimate APK (most likely from Google PLAY) to repackage with AndroRAT, and build.\u00a0 Once built, the infected APK could be put onto third party markets and\/or file sharing sites for unsuspecting victims to install.\u00a0 Considering we have found around 31k infected APKs that used the default settings of the AndroRAT Binder in our Mobile Intelligence System, it seems it caught on like wild fire.<\/p>\n
AndroRAT Evolved<\/h3>\n
The AndroRAT variants we see in the wild today are far from the original open source code uploaded to GitHub back in 2012.\u00a0 Updated coding has improved the functionality, made it more stable, and added\u00a0obfuscation\u00a0to deter against detection by malware scanners.\u00a0 With the recent increase of AndroRAT in the wild, I predict the distribution method has greatly improved as well.\u00a0 The old AndroRAT Binder made building an infected APK easier, but still only built APKs one at a time.\u00a0 Most likely new builders have been developed that are capable of automating the process even further; such as bulk building AndroRAT infected APKs using legitimate apps.<\/p>\n
The RAT is Always Lurking<\/h3>\n
AndroRAT client infected APKs run just like the apps they steal, but with added malicious functionality in the background.\u00a0 If an app is popular on Google PLAY, most likely there is an AndroRAT infected version of it somewhere in the wild.\u00a0 For example, here\u2019s some code of an infected Pok\u00e9mon GO app:<\/p>\n
![\"\"](\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/pokemongo-AndroRAT2-600x442.jpg\")
<\/p>\nTrapping the RAT<\/h3>\n
As usual, it\u2019s a cat and \u201cRAT\u201d game between malware developers and malware researchers.\u00a0 They keep putting\u00a0new variants of AndroRAT out in the\u00a0wild, we keep detecting them as they emerge.\u00a0 The best way to trap this RAT is to have a good malware scanner installed on your mobile device, and to install apps from reputable stores such as Google PLAY.\u00a0 Stay safe out there!<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
<\/a><\/td>\n<\/tr>\n