Security Experts:

Developers of Android RAT DroidJack Traced to India

The creators of the Android remote administration tool (RAT) called DroidJack started off as legitimate application developers, but when they realized that their products were not as successful as they had hoped, they turned to developing a crimeware tool.

Researchers at Symantec have been monitoring the evolution of the threat, which was first released in April 2013 on Google Play as Sandroid, a legitimate application for controlling PCs from an Android smartphone.

In late December 2013, someone announced the availability of SandroRAT on a hacker forum. SandroRAT was advertised as an Android application that could be used to take control of smartphones from a computer. The advertisement contained links to the Sandroid app on Google Play.

SandroRAT was analyzed by researchers at McAfee in August when it had been distributed via spam emails as a Kaspersky mobile security application. At the time, attackers targeted banking users in Poland.

According to Symantec, DroidJack (detected by the company as Android.Sandorat) is the latest version of the RAT. It was announced on June 27, 2014 on the same hacker forum and by the same individual who offered to sell SandroRAT. DroidJack is sold on its own website for $210, the cost of a lifetime package.

Researchers have analyzed the connection between DroidJack, SandroRAT and the Sandroid application and traced back their developers to India.

"If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India," Symantec's Peter Coogan wrote in a blog post.

Another piece of evidence that points to the developers of DroidJack being located in India is a promotional video which shows the RAT's GPS locator function showing a place in this particular country. However, experts have pointed out that it's uncertain if all the developers of Sandroid are involved in the creation of the malware.

DroidJack is a sophisticated RAT that works without needing root access, and it can be packaged with any legitimate game or application. The tool can be utilized to harvest details on the compromised device, install APKs, copy files to a computer, view messages, listen in on phone calls, list contacts, record audio and video via the microphone and camera, and get the phone's GPS location.

The developers of DroidJack have included a disclaimer on their website claiming that they do not encourage the use of the application for illegitimate purposes, but this tactic doesn't really work.

In September, U.S. authorities indicted a Pakistani national for commercializing StealthGenie, a spy application. StealthGenie was initially marketed as a spying application for catching cheating spouses, but its creators later started advertising it as a tool for parental control and employee monitoring, claiming that users need to obtain written permission from the targeted individual.

Law enforcement agencies from all over the world are involved in operations targeting RATs. In May, 100 people were arrested as part of global raids targeting users of the BlackShades RAT.

"If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense," Coogan noted.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.