Android malware SandroRAT disguised as mobile security app
Over the weekend, Carlos Castillo, a mobile malware researcher at McAfee, detailed the new variant of remote access trojan (RAT) AndroRAT in a blog post. The latest iteration called “SandroRAT,” appeared after the AndroRAT source code was put up for sale last year, he said.
SandroRAT is capable of carrying out a long list of malicious actions, including stealing SMS messages, contact lists, call logs, browser history (including banking credentials), and GPS location data stored in Android devices. The threat can also record nearby sounds using the device's mic and store the data in an “adaptive multi-rate file on the SD card to later send to a remote server,” Castillo revealed.
The malware variant was seen targeting users in Poland and was delivered via phishing emails, which supposedly contained a free Kaspersky mobile security app, he added.
“The body of the message states that the bank is providing the attached free mobile security application to detect malware that steals SMS codes (mTANs) for authorizing electronic transactions,” Castillo wrote. “However, the attached application is in fact a version of the Android RAT SandroRAT, which was announced at the end of the last year in the hacking community HackForums. The RAT and its source code are for sale, making it accessible to everyone to create a custom version of this threat,” he warned.
Castillo also noted that the SandroRAT variant was capable of decrypting WhatsApp chats of any victims not running the latest version of the mobile messaging app.
“This decryption routine will not work with WhatsApp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt),” Castillo explained. “WhatsApp users should update the app to the latest version,” he advised.
In a Monday interview with SCMagazine.com, Alex Hinchliffe, mobile malware research and operations manager at McAfee, said that SandroRAT could be built as a standalone application. Saboteurs could also inject legitimate apps with the malware, and in doing so, leave users none the wiser to the threat since other functions of their applications would likely be intact, he explained.
“With a trojanized application, it looks and feels just like the [legitimate] application, and it probably has the same kind of functionality,” Hinchcliffe said. Malware developers "will have to [digitally] resign the app when they do that – and if they were to try to push this in the Google Play store, for instance, they'd have a lot more trouble – but that's why they try to attach it to a phishing email.”