Sneaky Android RAT disables required anti-virus apps to steal banking info

Share this article:
Researchers find Android security issue in app permissions protocol
HijackRAT disables required anti-virus apps in order to manipulate bank apps without detection.

Researchers with FireEye have identified HijackRAT, a crafty remote access trojan (RAT) for mobile devices running the Android operating system that can steal banking information by disabling anti-virus applications, among other things.

The HijackRAT package name is “com.ll” and appears on a compromised device with a generic Android icon named “Google Service Framework,” according to a Tuesday post by Jinjian Zhai and Jimmy Su, researchers with FireEye.

“Once activated, the [option to uninstall] is disabled and a new service named “GS” is started,” according to the post. “The icon will show “App isn't installed.” when the user tries to click it again and removes itself from the home screen.”

HijackRAT quickly goes to work connecting to the command-and-control server and pulling up a task list, according to the post, which explains that the first action taken is grabbing sensitive information from the device, including phone number, device ID, and contact lists.

Although the command-and-control server was traced back to Hong Kong, it is likely a victim's system controlled by the RAT, according to the post. Evidence in the user interface suggests that the developers are Korean and the victims are Korean, as well.

The malware specifically targets eight Korean banking applications, all of which require a well-known anti-virus application, available on the Google Play store, known as “V3 Mobile Plus,” according to the post.

HijackRAT is designed to disable that anti-virus application, so it can force without detection what appears as an update to the targeted bank application, according to the post. Following through on the update will cause the real bank app to uninstall and a new, fake app to download.

Although only targeting Korean banks now, HijackRAT can easily be updated to target other financial institutions, according to the post, which adds that the malware – also capable of sending and stealing SMS messages – contains unfinished framework to enhance its bank targeting features.

Command-and-control and botnet behaviors, malicious apps masquerading as system apps, and the boxing out anti-virus programs is a sign that desktop attack techniques are segueing into the mobile arena, Domingo Guerra, founder and president of Appthority, told SCMagazine.com in a Thursday email correspondence.

“It seems the app isn't available in the wild yet and is more of a proof of concept – or work in progress – by a malicious app developer targeting Korean banks,” Guerra said. “But it shows criminals are catching up to the latest security protocols and have their sights on where the money is for mobile: banking apps.”

Removing HijackRAT requires users to deactivate its administrative privileges in the settings menu, according to the post. FireEye could not immediately respond to a SCMagazine.com request for comments.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.