Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Developers of Android RAT DroidJack Traced to India

The creators of the Android remote administration tool (RAT) called DroidJack started off as legitimate application developers, but when they realized that their products were not as successful as they had hoped, they turned to developing a crimeware tool.

The creators of the Android remote administration tool (RAT) called DroidJack started off as legitimate application developers, but when they realized that their products were not as successful as they had hoped, they turned to developing a crimeware tool.

Researchers at Symantec have been monitoring the evolution of the threat, which was first released in April 2013 on Google Play as Sandroid, a legitimate application for controlling PCs from an Android smartphone.

In late December 2013, someone announced the availability of SandroRAT on a hacker forum. SandroRAT was advertised as an Android application that could be used to take control of smartphones from a computer. The advertisement contained links to the Sandroid app on Google Play.

SandroRAT was analyzed by researchers at McAfee in August when it had been distributed via spam emails as a Kaspersky mobile security application. At the time, attackers targeted banking users in Poland.

According to Symantec, DroidJack (detected by the company as Android.Sandorat) is the latest version of the RAT. It was announced on June 27, 2014 on the same hacker forum and by the same individual who offered to sell SandroRAT. DroidJack is sold on its own website for $210, the cost of a lifetime package.

Researchers have analyzed the connection between DroidJack, SandroRAT and the Sandroid application and traced back their developers to India.

“If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India,” Symantec’s Peter Coogan wrote in a blog post.

Another piece of evidence that points to the developers of DroidJack being located in India is a promotional video which shows the RAT’s GPS locator function showing a place in this particular country. However, experts have pointed out that it’s uncertain if all the developers of Sandroid are involved in the creation of the malware.

DroidJack is a sophisticated RAT that works without needing root access, and it can be packaged with any legitimate game or application. The tool can be utilized to harvest details on the compromised device, install APKs, copy files to a computer, view messages, listen in on phone calls, list contacts, record audio and video via the microphone and camera, and get the phone’s GPS location.

The developers of DroidJack have included a disclaimer on their website claiming that they do not encourage the use of the application for illegitimate purposes, but this tactic doesn’t really work.

In September, U.S. authorities indicted a Pakistani national for commercializing StealthGenie, a spy application. StealthGenie was initially marketed as a spying application for catching cheating spouses, but its creators later started advertising it as a tool for parental control and employee monitoring, claiming that users need to obtain written permission from the targeted individual.

Law enforcement agencies from all over the world are involved in operations targeting RATs. In May, 100 people were arrested as part of global raids targeting users of the BlackShades RAT.

“If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense,” Coogan noted.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.