Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Dirty AndroRAT: New Tool Lets Anyone Trojanize Android Apps

Symantec’s Andrea Lelli outlines how underground forums have been offering a free Android RAT known as AndroRAT
Symantec’s Andrea Lelli outlines how underground forums have been offering a free Android RAT known as AndroRAT

Symantec’s Andrea Lelli noted that since November 2012, underground forums have been offering a free Android RAT known as AndroRAT. Like other RATs, it allows a remote attacker to control the infected device with a user-friendly control panel. For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.

The binders, however, are new and add a new threat layer to the mix. Symantec has detected only several hundred infections of AndroRAT worldwide, with the US and Turkey being the most targeted countries. However, the binders are changing that – infections are starting to spike up.

When AndroRAT – which comes in standard application format for Android – is used with a binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus trojanizing the app.

“When the Trojanized version of the legitimate app is installed on the device, the user unsuspectingly installs AndroRAT alongside the legitimate app they intended to install,” Lelli explained. “This allows the attacker to circumvent elements of the Android security model through deception. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.”

AndroRAT is also morphing in shape. Symantec has spotted a commercial Java RAT named Adwind that “seems to be in the process of incorporating an Android module based off the AndroRAT open source code,” Lelli said, noting that a demonstration video shows Adwind working with Android, along with the presence of AndroRAT on the infected phone. That suggests that some cross-pollination is in the works.

“The evolution of remote access tools moving onto the Android platform was predicted,” Lelli said. “While AndroRAT is not showing a particularly high level of sophistication just yet, with the open source nature of its code and with its popularity growing, it has potential to evolve and grow into a more serious threat.”

What’s Hot on Infosecurity Magazine?