Researchers at ESET have uncovered a new remote access Trojan (RAT) for Android that has been masked by cybercriminals as various popular applications.
The malware, detected by the security firm as Android/Spy.Krysanec, is capable of infiltrating both free and paid Android apps, and it has been distributed via a file sharing website, a Russian social network and other channels. It has been disguised as 3G Traffic Guard, a mobile banking app from Russia’s top lender Sberbank, and even ESET Mobile Security. However, unlike the legitimate programs, the trojanized versions are not signed with valid digital certificates.
According to ESET’s Robert Lipovsky, the malicious applications they have discovered actually contain the old multi-platform RAT known as Unrecom (previously known as Adwind). Trend Micro revealed back in April that the threat was upgraded to run on Android devices. At the time, the security firm also discovered that Unrecom worked as an APK binder, giving it the ability to trojanize legitimate applications.
Lipovsky told SecurityWeek that they have spotted tens of different trojanized applications, but ESET Mobile Security is the only security product whose reputation has been leveraged by the cybercriminals. The malware samples analyzed by the company appear to be targeting users mostly in Russia and Ukraine, the researcher said.
Once it finds itself on a device, the threat can be used to download and execute additional components that enable cybercriminals to perform various activities, like recording audio through the microphone, taking pictures, accessing text messages, obtaining the current GPS location, and collecting information on installed apps, placed calls and visited webpages.
Researchers have found that some of the samples communicate with a command and control (C&C) server hosted on a domain belonging to No-IP, the dynamic DNS provider whose domains were seized recently by Microsoft as part of an operation against the Bladabindi (njRAT) and Jenxcus (NJw0rm) botnets. The domains were later returned to the DNS company and the case was dropped after Microsoft determined that No-IP was not knowingly facilitating the distribution of malware.
“It’s a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious capabilities, and re-build it as new,” Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, said in an emailed statement. “The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward.”