Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Developers of Android RAT DroidJack Traced to India

The creators of the Android remote administration tool (RAT) called DroidJack started off as legitimate application developers, but when they realized that their products were not as successful as they had hoped, they turned to developing a crimeware tool.

The creators of the Android remote administration tool (RAT) called DroidJack started off as legitimate application developers, but when they realized that their products were not as successful as they had hoped, they turned to developing a crimeware tool.

Researchers at Symantec have been monitoring the evolution of the threat, which was first released in April 2013 on Google Play as Sandroid, a legitimate application for controlling PCs from an Android smartphone.

In late December 2013, someone announced the availability of SandroRAT on a hacker forum. SandroRAT was advertised as an Android application that could be used to take control of smartphones from a computer. The advertisement contained links to the Sandroid app on Google Play.

SandroRAT was analyzed by researchers at McAfee in August when it had been distributed via spam emails as a Kaspersky mobile security application. At the time, attackers targeted banking users in Poland.

According to Symantec, DroidJack (detected by the company as Android.Sandorat) is the latest version of the RAT. It was announced on June 27, 2014 on the same hacker forum and by the same individual who offered to sell SandroRAT. DroidJack is sold on its own website for $210, the cost of a lifetime package.

Researchers have analyzed the connection between DroidJack, SandroRAT and the Sandroid application and traced back their developers to India.

“If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India,” Symantec’s Peter Coogan wrote in a blog post.

Another piece of evidence that points to the developers of DroidJack being located in India is a promotional video which shows the RAT’s GPS locator function showing a place in this particular country. However, experts have pointed out that it’s uncertain if all the developers of Sandroid are involved in the creation of the malware.

Advertisement. Scroll to continue reading.

DroidJack is a sophisticated RAT that works without needing root access, and it can be packaged with any legitimate game or application. The tool can be utilized to harvest details on the compromised device, install APKs, copy files to a computer, view messages, listen in on phone calls, list contacts, record audio and video via the microphone and camera, and get the phone’s GPS location.

The developers of DroidJack have included a disclaimer on their website claiming that they do not encourage the use of the application for illegitimate purposes, but this tactic doesn’t really work.

In September, U.S. authorities indicted a Pakistani national for commercializing StealthGenie, a spy application. StealthGenie was initially marketed as a spying application for catching cheating spouses, but its creators later started advertising it as a tool for parental control and employee monitoring, claiming that users need to obtain written permission from the targeted individual.

Law enforcement agencies from all over the world are involved in operations targeting RATs. In May, 100 people were arrested as part of global raids targeting users of the BlackShades RAT.

“If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense,” Coogan noted.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.