Connect with us

Hi, what are you looking for?


Malware & Threats

Multi-Platform RAT OmniRAT Used to Hijack Devices

Researchers at Avast have conducted a brief analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used for malicious purposes.

Researchers at Avast have conducted a brief analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used for malicious purposes.

OmniRAT is openly promoted as a remote administration tool that works on devices running Android, Windows, Linux and Mac OS X. OmniRAT servers and clients are currently sold for $25 and $50, a price that includes a lifetime license and lifetime support.

The tool, which is allegedly made in Germany, is not advertised for malicious purposes, but experts from Avast have seen it being distributed and used by cybercriminals as a remote access Trojan.OmniRAT

In an attack described on a German tech forum, a user reported that his Android device became infected with what Avast researchers determined to be OmniRAT. In a blog post published on Thursday, Avast mobile malware analyst Nikolaos Chrysaidos revealed that the threat has been distributed via social engineering.

In the case of the German user, the attackers sent him an SMS claiming that he had received an MMS that cannot be sent directly due to the Android StageFright vulnerability, for which experts had previously warned that exploits could be delivered via MMS.

The malicious SMS contained a shortened link pointing to a website where the victim was instructed to enter a code and their phone number. Once the code and the number were entered, victims had been served an APK that loaded an icon labeled “MMS Retrieve” when installed. The OmniRAT installation process would begin when this icon was tapped.

Chrysaidos has pointed out that in such cases the malware is not installed automatically, but instead the victim has to manually install it and accept a long list of permissions that it requests.

“The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server,” Chrysaidos said. “Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”

In the case of the German user who reported the OmniRAT attack, the data collected from the infected device was sent back to a command and control (C&C) server in Russia.

Advertisement. Scroll to continue reading.

OmniRAT is similar to DroidJack, a RAT that was initially developed as a legitimate application for remotely controlling Android devices, but was later turned by its creators into a crimeware tool. Symantec reported in November 2014 that it had traced the developers of DroidJack, whose retail price is $210, to India.

Last month, authorities in five European countries launched an operation against people who had acquired and used DroidJack to spy on others.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...