Iranian hackers seek help for Android RATs on hacking forums

Oct 29, 2015 09:21 GMT  ·  By

Over the past few month, threat intelligence research company Recorded Future has observed a heightened interest in Android RATs (Remote Access Trojans/Tools) coming from Iranian hackers.

Starting May 2015, Recorded Future researchers noted that, on hacking forums, users originating from Iran were asking a lot of questions about a few Android RATs, with peculiar interest in AndroRAT and DroidJack, more than in familiar tools like DarkComet and njRAT, also known as Blababindi.

All these tools provide attackers with advanced spying capabilities, like the power to intercept SMS messages, view call logs, access contact lists, browser history, and even the phone's microphone and camera.

Iranian hackers are migrating away from DarkComet RAT

This tendency comes to complement a previous Recorded Future research that observed a trend of all the RAT operators from the same country, using most of the same RAT toolkits.

In that study released at the end of September, Iranian hackers were seen operating the DarkComet RAT. This recent interest in alternatives may indicate a shift towards newer tools, either to compensate DarkComet's weak points or to keep up with recent Android OS changes.

The keen interest in Android hacking is not to surprise anyone since a recent IDC research has shown that Android had an 80% market share in the Middle East region.

Taking a closer look at the hackers' interests, Recorded Future saw that that most of the times they were asking either support questions or looking for valid sources where to buy or download these tools.

Despite the specific RAT the hackers were interested in (AndroRAT and DroidJack), all are quite easy to find online, either to buy or to download from various forums, and even some public GitHub repositories.

The new tools come with a clean(er) history

The RATs in which the Iranian-linked hackers had an interest don't have such a high-profile history of hacking. On the other hand, njRAT and DroidJack have been linked to quite a few incidents in the past. This might also indicate a need for the hackers to adopt newer tools that haven't been studied and scrutinized, like their current ones.

njRAT, for example, was actively used by the Syrian government to spy on its population, and by Russian criminals to establish a crypto-currency mining botnet.

"With a low level of technical skill needed, open availability, and strong community support on hacker forums, DroidJack and AndroRAT are likely to remain popular choices for threat actors seeking to take advantage of Middle Eastern mobile systems," says Rodrigo Bijou, Recorded Future researcher. "These trends match the general nature of cyber criminals who often seek to attack platforms that are popular in the market, like PCs, from which they have a larger pool of targets."

Interest in Android RATs
Interest in Android RATs

Photo Gallery (2 Images)

Iranian hackers are interested in Android RATs
Interest in Android RATs
Open gallery