Sophisticated RAT spying on Mobile Devices
During our routine threat hunting exercise, Cyble Research Labs came across several Android malware samples with similar code targeting Android users via RAT activities.
These samples mostly use the names and icons of legitimate applications or organizations such as Invoice.apk, Google.apk, prueba.apk, ZiniTevi.apk, and cisamu.apk to lure the users into executing them.
Based on our intelligence, we identified that this variant had surfaced frequently in the wild in the last few months. This new campaign has been active since March 2022, and we observed over 200 samples from the same variant targeting Android users.
We identified several sophisticated features in this malicious app. By leveraging these features, the app can steal data such as clipboard data, device info, SIM details, device IP, SMSs, device location, call logs, device MAC Address, etc. The application can also record video and audio, read SMS and take pictures from the camera as well.
Technical Analysis
APK Metadata Information
- App Name: Google Service Framework
- Package Name: com.example.reverseshell2
- SHA256 Hash: 11940887451fb4e8249b88c4730e5251a0fd6b2f7648574f7b0fedc948b4c2c7
Figure 1 shows the metadata information of an application.
The figure below shows the application icon and name displayed on the Android device.
Manifest Description
The malware requests users for 18 different permissions, of which it abuses 9. These dangerous permissions are listed below.
| Permissions | Description |
| ACCESS_WIFI_STATE | Allows the app to get information about Wi-Fi connectivity. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the device’s external storage. |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage. |
| READ_SMS | Access phone messages. |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which has the potential to be misused by attackers |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi. |
| ACCESS_FINE_LOCATION | Allows the device’s precise location to be detected by using the Global Positioning System (GPS). |
| READ_CALL_LOG | Access phone call logs. |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
Source Code Review
Our static analysis indicated that the malware steals the information from the infected device based on the commands received from the Command and Control (C&C) server.
While launching the application for the first time, it hides its icon from the device screen and runs silently in the background. The below code snippet is used to hide the app icon.
After execution, the malware monitors the user’s clipboard activity, steals any data copied over to the clipboard, and sends it to the C&C server. The malware uses the code shown in Figure 4 to grab the clipboard data.
The malware identifies the number of cameras present in the device and enumerates this data point to gain information about them. The malware can then use these identified cameras to capture images from the victim’s device.
The malware executes the deviceInfo() method to collect information about the victim’s device, such as manufacturer, model and brand details, etc. as shown in the figure below.
The malware calls the getPhoneNumber() method to collect information about SIM details, IMEI number, mobile number, call state, etc.
Using built-in code, the malware can also identify the IP address of the infected machine, as shown in Figure 8.
By collecting the victim’s SMS data, the Threat Actors can perform various malicious activities such as stealing contact details, bypassing Two-Factor-Authentication, etc.
Upon receiving a command from the C&C server, the malware steals the device’s location through GPS and any connected networks.
Based on the commands received from the TA’s C&C server, the malware can also record audio using the devices microphone ,as shown in the below code snippet.
The code present in Figure 12 demonstrates the malware’s ability to record video using the device camera.
Figure 13 showcases the code through which the malware can steal calllogs from the infected device. Further, this collected data can be used for various malicious activities such as Smishing.
The code in the below snippet depicts the malware’s capability to gain access to the device’s MAC address.
The malware communicates with the Android device via the C&C URL: 8[.]tcp.ngrok.io:19742 as shown below.
We have listed the commands used by the TAs to control the infected device below:
| Command | Description |
| camList | Collects Camera List (Front & Back) |
| takepic | Takes Picture from Camera |
| getClipData | Collects Clipboard Data |
| deviceInfo | Collects Device Info |
| getSimDetails | Collects SIM Details |
| getIP | Collects Device IP |
| getSMS | Collects SMS Data from Device |
| getLocation | Collects Device Location |
| startAudio | Starts Audio Recording |
| stopAudio | Stops Audio Recording |
| startVideo | Starts Video Recording |
| stopVideo | Stops Video Recording |
| getCallLogs | Collects CallLogs |
| getMACAddress | Collects Device Mac Address |
Conclusion
The volume and sophistication of Cyberattacks on Android users are increasing daily. This malware category is one such example of an Android application pretending to be legitimate and performing RAT activities behind the scenes.
According to our research, these types of malware are only distributed via sources other than Google Play Store. As a result, practicing basic cyber-hygiene across mobile devices and online banking applications is a good way to prevent malware such as this from compromising your devices.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1433 | Access Call Log |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1429 | Capture Audio |
| Collection | T1512 | Capture Camera |
| Collection | T1533 | Data from Local System |
| Collection | T1430 | Location Tracking |
| Command and Control | T1436 | Commonly Used Por |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 42c03ec2513311a338d15456e2a2a880 | MD5 | RAT APK |
| c45015ac27031ba2e1aaabed3efe00cefa6cc607 | SHA-1 | RAT APK |
| 11940887451fb4e8249b88c4730e5251a0fd6b2f7648574f7b0fedc948b4c2c7 | SHA-256 | RAT APK |
| 4685a80d940cb14a3b1165ddeca51637 | MD5 | RAT APK |
| 5a74272d938074a6ca5280aaad721b30c32e832f | SHA-1 | RAT APK |
| 3737d32ca2ba4833d962689d27e4475a73119127c2fed5196aafca86a559a731 | SHA-256 | RAT APK |
| 4d9181087dceab78a0128c124f5a52f6 | MD5 | RAT APK |
| 8f61bb17de21bb3b922b946d937239c308635cf4 | SHA-1 | RAT APK |
| e7fe356431ff57d1c4781ef3912639cd4b7a58075b0376c5bf2fcf94b7757ee2 | SHA-256 | RAT APK |
| 030351538f178f213d787396f88ac159 | MD5 | RAT APK |
| 604ff7a11e793ec741d29ca907d84883ef6e26cb | SHA-1 | RAT APK |
| e83d3384889ca8d0a387dbd3e8ac1d677b6695b07f73f42c2b0947cc2423d602 | SHA-256 | RAT APK |
| 545d3494d269b90dea6729cb05123d80 | MD5 | RAT APK |
| ff4da99e4107c18cbf31fb0998526a771c4a875c | SHA-1 | RAT APK |
| 749090139d56cd119fb2fda2d3faa0d0361b35a6889decb0d45a3677166aab0f | SHA-256 | RAT APK |
