The trojan is capable of activating the devices microphone, uninstalling antivirus software, copy files to the hacker's server, recording screen captures, viewing contacts, reading SMS messages, and remotely controlling the device, according to a Jan. 23 blog post. The malware is also capable of collecting location data.
Once installed, the malware displayed the same logo as the real Netflix app and uses what researchers described as an unusual trick to ensure that it remains up and running. The trojan uses the services feature to perform long running tasks in the background without user interface, broadcast receivers to register and activates components of the Android platform to ensure the malware is always in affect.
The RAT was designed to function only over Wi-Fi which researchers said is the preferable mode for Android malware to send files to the command and control.
“There were two interesting sub-classes found inside Main Activity: Receiver and Sender,” the blog said. “Receiver was involved in receiving commands from the Server and the main functionality of Sender was to send all the data collected to the C&C over Wi-Fi.”
Researchers noted the creator of the malware developing fake versions of Whatsapp, YouTube Video Downloader, Google Update, Instagram, Hack WiFi, AirDroid, WifiHacker, Facebook, Photoshop, SkyTV Hotstar Trump Dash, and Pokemon Go.
“Users should install apps from official stores only and avoid clicking any unknown links promising direct app downloads,” Zscaler Senior Director of Security Research and Operations Deepen Desai told SC Media. “They should avoid the urge to download or install apps which are not yet officially launched for the Android platform.”
Desai said attackers may use stolen data to launch subsequent targeted attacks or sell the harvested data on the underground market and that currently they are unable to attribute the malware to a specific threat actor or group.