Remote access tool offers complete access to sensitive information

Aug 4, 2014 11:30 GMT  ·  By

A phishing campaign currently targeting Android users in Poland delivers emails that purport to be from a bank alerting them that their mobile device is infected and offering a fake mobile security solution for eliminating the malware.

The file poses as Kaspersky Mobile Security and it is actually a version of SandroRAT, a remote access tool devised for Android, whose source code has been put on sale on HackForums since December last year.

According to McAfee mobile malware researcher Carlos Castillo, the package distributed by the phishing campaign is capable of executing several commands on the affected device and it can be used for stealing sensitive details and uploading them to a command and control (C&C) server.

The researcher says that the malware gives the attacker unrestricted access to the contact list, call logs and short text messages stored on the phone. Moreover, they can access the browsing history, bookmarks, and GPS location data.

This version of SandroRAT includes self-update capabilities and it can be leveraged to install additional malware through user prompts for such actions.

It appears that an attacker would achieve total control over the messages, being able to intercept, block and steal incoming messages, as well as plant and delete them; there is also the possibility to send multimedia messages with specific parameters sent by the C&C server.

These are not all the features of the malware detected by McAfee, as Castillo says that turning on the sound recording component in Android and storing the audio locally so that it can be uploaded to a remote location at a later time are also on the list.

All this, coupled with the ability to open the dialing app with a specific number, executing USSD codes and showing pop-up messages on the infected device, make SandroRAT the perfect tool for cybercriminals.

Castillo notes that the current version of the malware brings to the table chat decryption capabilities for older releases of Whatsapp. The plain text messages are revealed by obtaining the unique encryption key using the Google email account on the device.

The latest version of Whatsapp is not vulnerable because the developers adopted a stronger encryption scheme that relies on a unique server salt.

Although some may argue that falling for phishing can be easily avoided, in this case, the email received by the potential victim is well-crafted since it claims to be from a financial institution that offers a security solution to protect its customers from malware stealing authorization codes for electronic transactions.

However, if good practices are followed and the installation of Android apps from unverified sources is turned off, upon adding the malware, the device should warn the user that it does not come from a trusted source.