14 DAY TRIAL // Between December 2015 and June 2016, a new Android RAT (remote access trojan) was targeting users living in China with the aim of collecting their personal data and sending it to a C&C server hosted in Italy.
According to an analysis shared with Softpedia by Bitdefender researchers Alin Barbatei and Marius Mihai Tivadar, the Italian connection goes deeper, as the RAT's source code is also full of Italian text strings.
Only Chinese users owning four models are targeted
The RAT is coded in such a way that targets only Chinese users who own four types of phones: Samsung N9005 Galaxy Note 3 LTE, Samsung SM-G355HN Galaxy 2 Core, LG D820 Nexus 5, and G355H Galaxy Core II (SM-G355HN).
The crooks behind this campaign achieve this by filtering the IMEI code of the device they infect. If the code is not between certain ranges, then the infection is abandoned.
The names of the two apps used to infect users are "it.cyprus.client" and "it.assistenzaumts.update." Some infections were also spotted in Japan.
The RAT is part of a narrow and focused attack
The RAT works only on Android devices that have been rooted. This is not a problem, though, since a recent study has revealed that four in five Android devices in China are rooted.
The trojan shows traditional RAT behavior such as the ability to copy device settings and technical details and send them to a C&C server, take screenshots, and other. The infections with this new RAT have never reached massive numbers but seemed to have gone unnoticed.
"Since only advanced persistent threats (APT) normally exhibit this type of selectivity when infecting victims, this Android RAT could be part of a wider attack that we’ve yet to uncover," the two Bitdefender malware analysts note in their research.