Androrat New Android Malware Strain Can Hijack Older Phones – The latest threat intelligence from the web shows that threat actors in Iranian hacking communities are particularly interested in targeting Android systems using several different types of remote access trojans (RATs). While most research and reports on mobile security focus on widespread or critical vulnerabilities, this analysis shows how threat actors have tools and community support systems readily available to attack popular platforms in their region or country.
Across a wide range of threat actors, private or open-source RATs have consistently been popular choices. In the past, threat research has often identified njRAT and XtremeRAT as common variants. For example, njRAT is widely used for multiple criminal activities and Syrian surveillance campaigns, while XtremeRAT has been used in campaigns against Israeli, Egyptian, and Saudi Arabian targets by several actors (e.g. SecureList, Trend Micro).
Androrat New Android Malware Strain Can Hijack Older Phones
As Recorded Future’s recent research on RATs shows, while these types remain in common use, there are trends showing that certain actors in the region are increasingly interested in new tools. Interest in these tools, especially chatter around download sources, proper deployment, and features, comes largely from a single community.
Nofilter: Exposing The Tactics Of Instagram Account Hackers
Looking at the recent six months of activity on prominent Iranian hacking forums, interest in RATs targeting Android devices dominates the discussion. While mobile-focused malware is a growing threat, this interest also makes sense in a regional context, as Android devices make up a significant majority of mobile devices in the Middle East.
Shown below, the initial analysis focused on filtering all forum chats from the past six months based on malware type. While it may be difficult to perform threat intelligence analysis using foreign language sources, focusing specifically on tools (in those forums) describe the technical complexity and types of attacks that particular groups or sources are interested in. It makes it easier. In this case, it was useful to break down all mentions of RAT tools to assess whether variants like njRAT or DarkComet are still popular options.
As you can see in the chart below, there are small bursts of interest in njRAT (also known as Bladabindi) and little conversation about DarkComet. Instead, there is sustained and general interest in two types of Android RATs.
Discussions of the last six months in Iranian forums show that most of the talk is about two specific Android RATs (AndroRAT, DroidJack) on common platforms such as njRAT or DarkComet.
Why Are Apps Like These Allowed On Play Store? I Got This Suggestion From Trending Section.
If we look at the two top tools in question, AndroRAT and DroidJack, we will also see a time difference in when the interest starts. Regarding the origin history, given that AndroRAT was created several years before the related DroidJack malware appeared in hacker communities, it follows that the communities picked up the original tool first. Iranians’ enduring interest in AndroRAT, despite its old age and lack of chat from other sources, could be due to easy access to downloads, including GitHub repositories, and existing community support for deploying the malware.
Two RATs in particular, AndroRAT and DroidJack, are probably popular among hacking community members for the same reasons as njRAT – open access to download or purchase, strong community support, and ease of use.
The history of malware is related to the same family, with AndroRAT being created in late November 2012 on hacker forums. The malware likely originated from open source posted online, with a GitHub repository for AndroRAT dating back to the same month. A variant of the AndroRAT malware called SandroRAT was available in 2013, found in campaigns targeting Polish banking users, and the authors ported it to DroidJack in 2014.
All variants have dozens of features, including the ability to track SMS messages, contacts, call logs, browser history, and user credentials on visited websites.
Major Exploit: This Gif Can Backdoor Any Android Phone (sort Of)
Taking a step back, last year’s activity around both tools shows that the Iranian hacker community has the largest number of chats compared to other hacker communities, whether on the open or dark web.
The second figure below also shows how this trend interest is far-reaching among most sources that discuss RAT use and activity. The three-month gap between the first report, which showed up in the initial cluster of activity, and subsequent conversations between hacking communities and social media is also notable. The fact that most hacking communities have not used these tools and that internet chats have decreased significantly in the past year makes Iran’s interest even more apparent.
DroidJack interest across internet sources saw initial interest, a three-month gap, and sustained interest mainly from Iranian forums.
Today, users can still find multiple sites to purchase for both tools from major search engines. Future research documented found examples of open downloads on several hacking forums in September 2015. Samples were also found on open download sites, including forked versions on GitHub.
A Systematic Literature Review And A Conceptual Framework Proposition For Advanced Persistent Threats (apt) Detection For Mobile Devices Using Artificial Intelligence Techniques
DroidJack and AndroRAT represent a minority of the total RAT activity, but analysis reveals the nuances of conducting threat intelligence at web scale. While previous research by Recorded Future revealed a variety of popular choices like njRAT, digging into specific players, specific regional trends, or even specific associations provides rich context.
With their low level of technical skill required, open availability, and strong community support in hacker communities, DroidJack and AndroRAT are likely to be popular options for threat actors looking to exploit Middle East mobile systems.
These trends are consistent with the general nature of cybercriminals, who often seek to attack platforms that are popular in the market, such as PCs, from which they have a larger set of targets. As Android currently holds the majority of market share – in regions such as the Middle East, Asia and Africa – and continues to grow, we’re likely to see increased interest and new mobile malware campaigns in these regions.
Related Post "Androrat New Android Malware Strain Can Hijack Older Phones"