Tag Archives: AndroRAT

DroidJack RAT: A tale of how budding entrepreneurism can turn to cybercrime

See how Android.Sandorat, a multi-featured mobile crimeware tool, began life as a legitimate Android app.

Twitter Card Style: 

summary

Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.

While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.

Fig1DJ.png
Figure 1. DroidJack website logo

Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.

Fig2_0.png
Figure 2. DroidJack website logo

On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.  

Fig3.png
Figure 3. SandroRAT control panel

On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.

Fig4.png
Figure 4. DroidJack control panel

Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:

  • No root access required
  • Bind the DroidJack server APK with any other game or app
  • Install any APK and update server
  • Copy files from device to computer
  • View all messages on the device
  • Listen to call conversations made on the device
  • List all the contacts on the device
  • Listen live or record audio from the device’s microphone
  • Gain control of the camera on the device
  • Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  • Get the device’s last GPS location check in and show it in Google Maps

Fig5.png
Figure 5.  Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps

Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.

In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material.  Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.

Fig6.png
Figure 6. Disclaimer used in DroidJack marketing

Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.

Protection summary
Symantec offers the following protection against DroidJack.

Antivirus

DroidJack RAT: A tale of how budding entrepreneurism can turn to cybercrime

See how Android.Sandorat, a multi-featured mobile crimeware tool, began life as a legitimate Android app.

Twitter Card Style: 

summary

Small-scale mobile app software entrepreneurship has been described as the cottage industry of the 21st century. It allows talented software developers to apply their skills to create new and innovative mobile apps, with the hope of becoming the next big thing and, perhaps, even attaining the trappings of wealth associated with success. However, with over 1 million apps available for download on the Google Play Store, for every success story there are countless apps that fail to deliver.

While I was researching a new Android remote administration tool (RAT) known as DroidJack (detected by Symantec as Android.Sandorat), it soon became apparent that its authors had actually started off as Android app developers. In their own words, they were “budding entrepreneurs trying to develop and apply skills that we have gained.” With limited success of their legitimate app on the Google Play Store, they soon turned their skills to creating and selling an Android crimeware tool, known as SandroRAT, on a hacker forum. In August 2014, this same tool was reported in the media to have been used in cybercriminal activity targeting Polish banking users through a phishing email. This tool has since evolved into DroidJack RAT and is now being openly sold on its own website at a cost of US$210 for a lifetime package.

Fig1DJ.png
Figure 1. DroidJack website logo

Evolution
On April 26, 2013, the Sandroid RAT was released on the Google Play Store. The authors described the app as being a free tool that lets users control their PC without advertisements.

Fig2_0.png
Figure 2. DroidJack website logo

On December 29, 2013, there was an announcement on a hacker forum of a new project called SandroRAT. The forum poster linked the project back to the Sandroid app available on the Google Play Store, referring to SandroRAT as being a kind of “vice-versa” to the Sandroid app, while also commenting on how it remains hidden on the phone.  

Fig3.png
Figure 3. SandroRAT control panel

On June 27, 2014, there was an announcement from the same poster on the same hacker forum of a next-generation Android RAT, known as DroidJack.

Fig4.png
Figure 4. DroidJack control panel

Capabilities
DroidJack has similar features to other Android RATs, such as AndroRAT and Dendroid. Some of the more than 50 features on offer include the following:

  • No root access required
  • Bind the DroidJack server APK with any other game or app
  • Install any APK and update server
  • Copy files from device to computer
  • View all messages on the device
  • Listen to call conversations made on the device
  • List all the contacts on the device
  • Listen live or record audio from the device’s microphone
  • Gain control of the camera on the device
  • Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  • Get the device’s last GPS location check in and show it in Google Maps

Fig5.png
Figure 5.  Screenshot from DroidJack marketing video, which shows GPS pinpointer location feature using Google Maps

Legality
Law enforcement is getting more aggressive in its stance against the creation and use of RATs. In May 2014, the FBI, Europol, and several other law enforcement agencies arrested dozens of individuals suspected of cybercriminal activity centered on Blackshades (detected as W32.Shadesrat), a RAT for personal computers that was sold on a dedicated website. Moreover, the recent arrest and indictment of a man in Los Angeles for allegedly conspiring to advertise and sell StealthGenie (Android.Stealthgenie), a mobile application similar to DroidJack, shows that law enforcement is continuing its campaign against any technology designed to invade an individual’s privacy.

In an attempt to distance themselves from any responsibility for illegal activity, the authors of DroidJack have included a disclaimer in their marketing material.  Similar disclaimers have been used in the past by other malware authors, such as the Mariposa botnet author, who unsuccessfully claimed on his website that the software was only for educational purposes. Whether the authors of DroidJack truly believe that this disclaimer absolves them of any responsibility is irrelevant, as naivete is not a defense in law.

Fig6.png
Figure 6. Disclaimer used in DroidJack marketing

Attribution
If the author or authors of DroidJack meant to cover up their tracks, they have not done a good job.  Some simple investigations lead back to the names and telephone numbers of several individuals initially involved in the creation of Sandroid, supposedly based out of Chennai in India. However, whether all of the initial developers are still involved in the creation of DroidJack is not clear. Their marketing video for DroidJack also clearly shows the GPS pinpointer locator function homing in on a location in India. If the authors of DroidJack are truly based out of India, cyber law in India indicates that the creation of such software would be seen as an offense.

Protection summary
Symantec offers the following protection against DroidJack.

Antivirus

Android APK ???????????????????????????

先日のブログでお伝えしたように、Java で記述されているために複数のオペレーティングシステムで実行できるリモートアクセスツール(RAT)の活動が活発化しています。Android オペレーティングシステムが急速に普及している状況で、Android OS が最新の標的となり、RAT に対して無防備なのは当然です。アンダーグラウンドフォーラムでは、昨年の終わり頃から AndroRAT(Android.Dandro)として知られる無償の Android 版 RAT が公開されています。そして最近、AndroRAT を使って簡単に正規のアプリを再パッケージ化し、トロイの木馬を仕掛けることのできるツールが初めて登場しました。アンダーグラウンド経済がサイバー犯罪者の需要に応えようとすることを考えれば、これも当然の流れでしょう。
 

figure1.png

図 1. 世界最初のバインダを謳ってアンダーグラウンドで販売されている「バインダ」ツール

オープンソースの Android 版 RAT である AndroRAT が公開され、インターネット上で誰でも入手できるようになったのは、2012 年 11 月のことです。他の RAT と同様に AndroRAT でも、攻撃者はわかりやすいコントロールパネルを使って侵入先のデバイスを制御できます。たとえば、デバイス上で実行されている AndroRAT は、電話をかけたり監視したりするほか、SMS メッセージを送信する、デバイスの GPS 座標を取得する、カメラとマイクを有効化して利用する、デバイスに保存されたファイルにアクセスするといったことが可能です。
 

figure2_HL.png

図 2. AndroRAT のコントロールパネル
 

RAT は、Android の標準アプリケーションフォーマットである APK の形で提供されます。AndroRAT APK バインダと組み合わせて使えば、専門知識の乏しい攻撃者でも AndroRAT を使って簡単に、正規の Android アプリに感染するプロセスを自動化し、トロイの木馬を仕掛けることができます。トロイの木馬を仕掛けられた正規のアプリがデバイスにインストールされると、ユーザーは何も知らずに、目的の正規アプリとともに AndroRAT もインストールすることになります。攻撃者は、ユーザーを欺いて Android セキュリティモデルの機能をすり抜けられるわけです。シマンテックは現在までに、人気のある 23 種類の正規アプリが AndroRAT によって実際にトロイの木馬を仕掛けられていることを確認しています。

これに続いて、シマンテックは有償版の Java RAT も確認しています。これが Adwind(Backdoor.Adwind)で、すでに複数のオペレーティングシステムに対応しているうえに、AndroRAT のオープンソースコードに基づいて Android モジュールを取り込みつつあるようです。有償版のこの RAT にも、リモートで RAT を管理制御できるグラフィカルユーザーインターフェースが装備されています。

 

figure3LOB.png

図 3. Adwind のメインコントロールパネル
 

Adwind が Android で動作するところを解説したデモンストレーション用ビデオでも、感染したデバイス上に AndroRAT が存在していることが示され、Adwind の作成者が AndroRAT ツールをカスタマイズして Adwind に取り込んでいる可能性が示唆されています。AndroRAT のコードが、カスタマイズして新しい脅威やツールを簡単に作成できるというオープンソースの性質を備えている以上、こうした展開もなんら不思議なことではありません。
 

figure4_HL_600pxw.png

図 4. 感染したデバイス上に AndroRAT が存在することを示す Adwind のビデオからのスクリーンショット

シマンテックの現在の遠隔測定によると、米国とトルコが最も頻繁に Android.Dandro の標的になっています。感染数は全世界でも数百件どまりですが、遠隔測定では、最近になって感染数が増えていることも報告されています。AndroRAT 用のツールがますます流通し高機能になっていることを考えれば、増加傾向は今後も続くものとシマンテックは予測しています。
 

figure5LOB.png

図 5. 感染の分布図
 

リモートアクセスツールの進化が Android プラットフォームに向かうことは、以前から予期されていました。AndroRAT は今のところ、それほど高機能ではなさそうですが、コードがオープンソースであり人気も高くなっている以上、さらに深刻な脅威に発展する恐れは十分にあります。

この脅威を Android.Dandro として検出する、ノートン モバイルセキュリティなどのセキュリティアプリをインストールすることをお勧めします。スマートフォンとタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト(英語)を参照してください。

 

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Remote Access Tool Takes Aim with Android APK Binder

In a previous blog, we talked about the rise of remote access tools (RAT) written in Java that are capable of running on multiple operating systems. With the growing popularity of the Android operating system, it comes as no surprise that the Android O…