Remote Access Tool Takes Aim with Android APK Binder

In a previous blog, we talked about the rise of remote access tools (RAT) written in Java that are capable of running on multiple operating systems. With the growing popularity of the Android operating system, it comes as no surprise that the Android OS is the latest target and is not immune to RATs. Since late last year, underground forums have been offering a free Android RAT known as AndroRAT (Android.Dandro). Now, unsurprisingly, the underground economy that caters to the needs of cybercriminals has created the first tools (called “binders”) that easily allow users to repackage and Trojanize legitimate Android applications with AndroRAT.
 

figure1.png

Figure 1. A “binder” tool being sold on underground forums advertised as the first binder ever
 

Back in November 2012, an open source RAT for Android named AndroRAT was published and made accessible to everyone on the Internet. Like other RATs, it allows a remote attacker to control the infected device using a user friendly control panel. For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.
 

figure2_HL.png

Figure 2. AndroRAT’s control panel
 

The RAT comes in the form of an APK which is the standard application format for Android. When used in conjunction with the AndroRAT APK binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus Trojanizing the app. When the Trojanized version of the legitimate app is installed on the device, the user unsuspectingly installs AndroRAT alongside the legitimate app they intended to install. This allows the attacker to circumvent elements of the Android security model through deception. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.

Subsequently, we have also spotted a commercial Java RAT named Adwind (Backdoor.Adwind) that already supports multiple operating systems and seems to be in the process of incorporating an Android module based off the AndroRAT open source code. Again, this RAT also features a graphical user interface allowing the attackers to manage and control the RAT remotely.
 

figure3LOB.png

Figure 3. Adwind main control panel
 

A demonstration video that shows Adwind working with Android also shows the presence of AndroRAT on the infected phone, suggesting that the authors of Adwind may be customizing the AndroRAT tool to incorporate it into Adwind. This development comes as no surprise, as the open source nature of the AndroRAT code means it can be easily customized into new threats and tools.
 

figure4_HL_600pxw.png

Figure 4. Screenshot of Adwind video showing AndroRAT’s presence on the infected device
 

At present, Symantec telemetry shows only several hundred infections of Android.Dandro worldwide, with the United States and Turkey being the most targeted countries. However, the telemetry is reporting a rise in infection numbers as of late, which we expect will continue as both the availability and sophistication of tools for AndroRAT increase.
 

figure5LOB.png

Figure 5. Heat map of infections
 

The evolution of remote access tools moving onto the Android platform was predicted. While AndroRAT is not showing a particularly high level of sophistication just yet, with the open source nature of its code and with its popularity growing, it has potential to evolve and grow into a more serious threat.

We recommend installing a security app, such as Norton Mobile Security, which detects this threat as Android.Dandro. For general safety tips for smartphones and tablets, please visit our Mobile Security website.