A newly discovered variant of the AndroRAT off-the-shelf mobile malware can inject root exploits to perform malicious tasks, Trend Micro reports.
The updated malware version targets CVE-2015-1805, a publicly disclosed vulnerability that can be abused to achieve privilege escalation on older Android devices. By injecting root exploits, the threat can perform silent installation, shell command execution, WiFi password collection, and screen capture, security researchers have discovered.
First observed in 2012, AndroRAT was initially a university project, designed as an open-source client/server application to offer remote control of a device. It didn’t take long for cybercriminals to find the tool appealing and start using it in attacks.
The same as other Remote Access Tools (RATs), the malware gains root access in order to take control over the target system.
The newly observed version of the tool masquerades as a utility app called TrashCleaner, which the researchers believe is delivered from a malicious URL. When first executed, TrashCleaner prompts the user to install a Chinese-labeled calculator app, hides its icon from the device’s UI, and activates the RAT in the background.
“The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions,” Trend Micro notes.
The malware can perform a broad range of actions previously observed in the original AndroRAT, including audio recording, photo taking, and system information theft (phone model, number, IMEI, etc.). It also steals WiFi names, call logs, mobile network cell location, GPS location, contacts, files on the device, list of running apps, and SMS messages, while keeping an eye on all incoming and outgoing SMS.
The threat is also capable of obtaining mobile network information, storage capacity, root status, list of installed applications, web browsing history from pre-installed browsers, and calendar events. Additionally, it can record calls, upload files to the device, capture photos using the front camera, delete and send forged SMS messages, take screenshots, execute shell commands, steal WiFi passwords, and silently enable accessibility services for a keylogger.
While the targeted vulnerability (CVE-2015-1805) was patched in early 2016, devices that are no longer updated regularly continue to be exposed to this new AndroRAT variant.
To avoid being targeted by the threat, users should avoid downloading and installing applications from third-party app stores. Installing the latest security updates and keeping all applications on the device updated at all times should also reduce the risk of being affected, the security researchers point out.