DroidJack RAT: A tale of how budding entrepreneurism can turn to cybercrime

See how Android.Sandorat, a multi-featured mobile crimeware tool, began life as a legitimate Android app.
Twitter カードのスタイル: 
summary

Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.

While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.

Fig1DJ.png
Figure 1. DroidJack website logo

Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.

Fig2_0.png
Figure 2. DroidJack website logo

On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.  

Fig3.png
Figure 3. SandroRAT control panel

On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.

Fig4.png
Figure 4. DroidJack control panel

Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:

  • No root access required
  • Bind the DroidJack server APK with any other game or app
  • Install any APK and update server
  • Copy files from device to computer
  • View all messages on the device
  • Listen to call conversations made on the device
  • List all the contacts on the device
  • Listen live or record audio from the device's microphone
  • Gain control of the camera on the device
  • Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  • Get the device’s last GPS location check in and show it in Google Maps

Fig5.png
Figure 5.  Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps

Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.

In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material.  Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.

Fig6.png
Figure 6. Disclaimer used in DroidJack marketing

Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.

Protection summary
Symantec offers the following protection against DroidJack.

Antivirus