14 DAY TRIAL // A new remote access Trojan (RAT) for Android has been found to integrate malicious functionality in legitimate apps, allowing the attacker control over various functions of the device, such as camera, GPS and microphone.
The malware is currently distributed through multiple channels, ranging from websites sharing pirated content to social networks.
Security researchers from ESET have discovered that the malware authors have slipped the Android version of Unrecom RAT into legitimate apps. This means that the threat is disguised as valid software, preserving some of the original functionality, but it is laced with malicious features, too.
The sample they analyzed is detected as Android/Spy.Krysanec and was found in modified versions of apps for mobile banking (MobileBank, used to access Russian Sberbank accounts), monitoring data usage (3G Traffic Guard), as well as their own ESET Mobile Security.
“Quite often the legitimate functionality is present, but with a malicious aftermarket addition – the very essence of a trojan horse. And quite often the application purports to be a cracked version of a popular paid application – so the danger is greater on less-than-trustworthy app stores and forums – but this is certainly not an indisputable rule,” writes ESET malware researcher Robert Lipovski in a blog post.
Senior Malware Intelligence Analyst at Malwarebytes Nathan Collier has said via email that an individual with coding experience would not encounter much difficulty decompiling an existing Android app, adding malicious capabilities and repackaging it for distribution on alternative, non-curated markets.
“The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward,” he explains.
It appears that Krysanec is modular in architecture and can execute different plug-ins downloaded from the command and control server, which has been identified to be hosted on a domain of the No-IP dynamic DNS provider.
On its list of capabilities are taking photos, recording audio using the device’s microphone, locating it via GPS, retrieving the list of installed apps, exfiltrating the list of calls, the contacts and short text messages sent through SMS or Whatsapp.
Users can stay protected by avoiding installation of Android apps from unreliable sources. Lipovski says that the software in official markets provides countermeasures against the changes by signing them with the developer’s certificates, and the variants impersonated by Krysanec did not include valid certificates; installing anti-malware mobile solutions is also recommended.