Researchers with FireEye have identified HijackRAT, a crafty remote access trojan (RAT) for mobile devices running the Android operating system that can steal banking information by disabling anti-virus applications, among other things.
The HijackRAT package name is “com.ll” and appears on a compromised device with a generic Android icon named “Google Service Framework,” according to a Tuesday post by Jinjian Zhai and Jimmy Su, researchers with FireEye.
“Once activated, the [option to uninstall] is disabled and a new service named “GS” is started,” according to the post. “The icon will show “App isn't installed.” when the user tries to click it again and removes itself from the home screen.”
HijackRAT quickly goes to work connecting to the command-and-control server and pulling up a task list, according to the post, which explains that the first action taken is grabbing sensitive information from the device, including phone number, device ID, and contact lists.
Although the command-and-control server was traced back to Hong Kong, it is likely a victim's system controlled by the RAT, according to the post. Evidence in the user interface suggests that the developers are Korean and the victims are Korean, as well.
The malware specifically targets eight Korean banking applications, all of which require a well-known anti-virus application, available on the Google Play store, known as “V3 Mobile Plus,” according to the post.
HijackRAT is designed to disable that anti-virus application, so it can force without detection what appears as an update to the targeted bank application, according to the post. Following through on the update will cause the real bank app to uninstall and a new, fake app to download.
Although only targeting Korean banks now, HijackRAT can easily be updated to target other financial institutions, according to the post, which adds that the malware – also capable of sending and stealing SMS messages – contains unfinished framework to enhance its bank targeting features.
Command-and-control and botnet behaviors, malicious apps masquerading as system apps, and the boxing out anti-virus programs is a sign that desktop attack techniques are segueing into the mobile arena, Domingo Guerra, founder and president of Appthority, told SCMagazine.com in a Thursday email correspondence.
“It seems the app isn't available in the wild yet and is more of a proof of concept – or work in progress – by a malicious app developer targeting Korean banks,” Guerra said. “But it shows criminals are catching up to the latest security protocols and have their sights on where the money is for mobile: banking apps.”
Removing HijackRAT requires users to deactivate its administrative privileges in the settings menu, according to the post. FireEye could not immediately respond to a SCMagazine.com request for comments.