DroidJack RAT Distributed via Infected Pokémon GO APK
Popular mobile games represent a productive attack vector for cybercriminals, and the Pokémon GO augmented reality Android game released last week is the most recent proof of that.
The first Pokémon game sanctioned by Nintendo for iOS and Android devices was released in Australia and New Zealand on July 4 and landed in the US on July 6, but the rest of the world hasn’t received it via official channels. Three days after arriving in the US, Pokémon GO became one of the most used apps in the Google Play Store, SimilarWeb data reveals.
For cybercriminals, this represented a great opportunity and they were fast to take advantage of it: a modified Pokémon GO APK packing the malicious remote access tool (RAT) called DroidJack was spotted less than 72 hours after the game was officially released. The targets of this malicious game were users outside those three geographies, which were expected to head to third-party portals to grab it.
It’s not uncommon for users to turn to third parties to grab an application or game unavailable in their area, especially when many publications provide details on how the side-loading can be done. However, apps downloaded from unofficial portals often carry hidden risks, the main reason for which users are always warned against this practice.
In the case of Pokémon GO, the attackers were very quick about it: they created a malicious APK within three days after the initial launch, taking advantage of the hype surrounding the official game. However, those installing this program from a third-party might have been warned of its malicious intent if they paid close attention to the requested permissions.
The DroidJack (also known as SandroRAT) malware hidden within the APK requested some unusual permissions during installation, researchers at Proofpoint explain. These include permissions to read and edit text messages, make phone calls, record audio, modify contacts, read bookmarks and web history, connect to Wi-Fi, and to retrieve running apps at startup.
All of these permissions fall in line with the functionality previously associated with DroidJack, a mobile threat that has been around since 2014. The Trojan can steal user messages, call logs, contacts, browser history, and installed apps, and can also execute remote commands such as take photos, record videos and calls, send SMS, and more.
Released in Google Play as Sandroid in 2013, DroidJack was initially designed as a legitimate app that allowed users to control their PC from an Android device. SandroRAT first emerged in December 2013 on a hacker forum, but the DroidJack variant was announced only in June 2014. It was offered on its own site at $210 for a lifetime package, Symantec researchers revealed in Novermber 2014.
In October 2015, European law enforcement agencies staged a coordinated swoop on suspected users of DroidJack which bought the malware and used it in 2014 and 2015. In November 2015, researchers analyzed OmniRAT, an Android tool similar to DroidJack in that it was initially designed as a legitimate application for remotely controlling Android devices, but later became malicious.
According to Proofpoint, the Pokémon GO game was modified in a manner meant to deceive users into believing they have installed the real game, and both versions feature the same start screen. The good news is that the APK wasn’t observed in the wild, although the researchers did notice it in a malicious file repository service.
The security researchers also explain that the DroidJack RAT has been configured to communicate to the command and control (C&C) domain pokemon[.]no-ip[.]org over TCP and UDP port 1337. The C&C domain resolved to an IP address in Turkey (88.233.178[.]130), researchers say, adding that the IP was not accepting connections from infected devices at the time of the analysis.
Although the infected Pokémon GO APK wasn’t observed in live attacks, it represents the perfect example of why users should always download applications only from trusted sources. Cybercriminals keep a close eye on trending applications and games and will definitely prey on their popularity to carry out their nefarious activities.
“Installing apps from third-party sources, other than officially vetted and sanctioned corporate app stores, is never advisable. Official and enterprise app stores have procedures and algorithms for vetting the security of mobile applications, while side-loading apps from other, often questionable sources, exposes users and their mobile devices to a variety of malware,” Proofpoint researchers say.