Another old and patched vulnerability is being used to target Android systems with a Remote Access Tool (RAT) to obtain escalated privileges.
Trend Micro reported it has detected a new variant of AndroRAT, (identified as ANDROIDOS_ANDRORAT.HRXC) that can inject root exploits enabling attackers to perform malicious acts such as “silent installation, shell command execution, WiFi password collection, and screen capture”.
AndroRAT takes advantage of CVE-2015-1805, which was made public and patched in 2016, and only affects older Android devices. AndroRAT itself was created in 2012 as a university project as an administrative tool to allow remote access to Android devices, Trend Micro said, but cybercriminals unfortunately found a use for it, as well.
Trend found that the new variant pretends to be a utilities app called TrashCleaner, which fits in with its original design purpose, that is most likely distributed through a malicious URL.
The first time AndroRAT runs it installs a Chinese-labeled calculator app that looks just like the type that normally comes bundled with any Android device. The calculator icon then supplants the TrashCleaner icon. Once these actions are completed the malware can be controlled remotely to do a laundry list of malicious activities.
Some of the new bits of thievery include, theft of mobile network information, storage capacity, installed applications, web browsing history from pre-installed browsers, calendar events, record calls, upload files to victim device, use front camera , delete and send forged SMS, screen capture, shell command execution and Wi-Fi passwords.
The earlier versions of AndroRat could:
· Record audio
· Take photos using the device camera
· Theft of system information such as phone model, number, IMEI, etc.
· Theft of WiFi names connected to the device
· Theft of call logs including incoming and outgoing calls
· Theft of mobile network cell location
· Theft of GPS location
· Theft of contacts list
· Theft of files on the device
· Theft of list of running apps
· Theft of SMS from device inbox
· Monitor incoming and outgoing SMS
Trend disclosed the issue to Google which said neither of the malicious apps discovered were ever housed on Google Play, but detection for CVE-2015-1805 has already been incorporated into their system.