Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

xRAT Mobile Malware Emerges

A recently discovered mobile remote access Trojan includes extensive data collection capabilities and is associated with known mobile and Windows-targeting threats, Lookout security researchers warn.

A recently discovered mobile remote access Trojan includes extensive data collection capabilities and is associated with known mobile and Windows-targeting threats, Lookout security researchers warn.

Dubbed xRAT, the malware appears to have evolved from the high-profile Xsser / mRAT malware that made headlines in late 2014. The newly discovered mobile threat features code structure almost identical to that of the mRAT family of malware, uses the same decryption key and certain heuristics and naming conventions that suggest the same actor has developed both of them.

Furthermore, the command and control (C&C) servers for the new mobile threat are also linked to Windows malware, suggesting that an experienced crime group is operating it. Earlier this year, security researchers discovered a free and open source remote access tool (RAT) named QuasarRAT that has evolved from the xRAT Windows malware.

The xRAT mobile Trojan, the security researchers say, appears to specifically target political groups and includes capabilities ranging from reconnaissance and information gathering, to detection evasion, antivirus checks, and app and file deletion functionality. The malware also gathers data from communications apps like QQ and WeChat and allows its operators to remotely control much of its functionality in real time.

On Android devices, the malware can exfiltrate browser history, device metadata, text messages, contacts, call logs, QQ and WeChat data, Wi-Fi access point information, email database and username / passwords, geolocation, list of installed apps, and SIM card information.

It can also provide the remote attacker with a shell, can download/delete attacker specified files, enable airplane mode, list all files and directories on external storage or the content of specified directories, retrieve files of an attacker specified type, search external storage, upload files to C&C, make phone calls, record audio, executes commands as the root user, and can also download a trojanized version of QQ.

To avoid detection, xRAT includes a function to terminate itself and clean out its installation directory before uninstalling itself. The malware checks for specific antivirus applications, alerting the operators if they are present on a compromised device.

The threat also includes a robust file deletion module that can remove “large portions of a device or attacker-specified files,” including images from certain directories on the SDCard, audio files from certain directories on the SDCard, specific input method editors (IME), and messaging apps. It can also wipe a device by deleting all files from the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.

Most of the C&C servers used by xRAT in the past were based in China, while recent samples revealed attacker infrastructure in the United States as well. The infrastructure has Windows malware associated to it, including a malicious executable named MyExam, which Lookout says is an indication that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”

Related: Gaza Cybergang Uses QuasarRAT to Target Governments

Related: Chinese Government Suspected of Using iOS, Android RATs Against Protesters

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.