Sneaky Android RAT disables required anti-virus apps to steal banking info

Share this article:
Researchers find Android security issue in app permissions protocol
HijackRAT disables required anti-virus apps in order to manipulate bank apps without detection.

Researchers with FireEye have identified HijackRAT, a crafty remote access trojan (RAT) for mobile devices running the Android operating system that can steal banking information by disabling anti-virus applications, among other things.

The HijackRAT package name is “com.ll” and appears on a compromised device with a generic Android icon named “Google Service Framework,” according to a Tuesday post by Jinjian Zhai and Jimmy Su, researchers with FireEye.

“Once activated, the [option to uninstall] is disabled and a new service named “GS” is started,” according to the post. “The icon will show “App isn't installed.” when the user tries to click it again and removes itself from the home screen.”

HijackRAT quickly goes to work connecting to the command-and-control server and pulling up a task list, according to the post, which explains that the first action taken is grabbing sensitive information from the device, including phone number, device ID, and contact lists.

Although the command-and-control server was traced back to Hong Kong, it is likely a victim's system controlled by the RAT, according to the post. Evidence in the user interface suggests that the developers are Korean and the victims are Korean, as well.

The malware specifically targets eight Korean banking applications, all of which require a well-known anti-virus application, available on the Google Play store, known as “V3 Mobile Plus,” according to the post.

HijackRAT is designed to disable that anti-virus application, so it can force without detection what appears as an update to the targeted bank application, according to the post. Following through on the update will cause the real bank app to uninstall and a new, fake app to download.

Although only targeting Korean banks now, HijackRAT can easily be updated to target other financial institutions, according to the post, which adds that the malware – also capable of sending and stealing SMS messages – contains unfinished framework to enhance its bank targeting features.

Command-and-control and botnet behaviors, malicious apps masquerading as system apps, and the boxing out anti-virus programs is a sign that desktop attack techniques are segueing into the mobile arena, Domingo Guerra, founder and president of Appthority, told SCMagazine.com in a Thursday email correspondence.

“It seems the app isn't available in the wild yet and is more of a proof of concept – or work in progress – by a malicious app developer targeting Korean banks,” Guerra said. “But it shows criminals are catching up to the latest security protocols and have their sights on where the money is for mobile: banking apps.”

Removing HijackRAT requires users to deactivate its administrative privileges in the settings menu, according to the post. FireEye could not immediately respond to a SCMagazine.com request for comments.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.