Threat Research

Mobile RAT Infestation

By Ruchna Nigam | August 18, 2013

Why are we discussing pest control on a security blog?

Anyone who is remotely aware of internet security would know that Remote Access Tools (RATs) are not new to the internet. The concept is not new, but its implications don't fail to make my brain flip every time I think of it.

A good idea of how 'personal' these can get is described in this very interesting piece Arstechnica did earlier this year on RAT breeders and how they discuss, amass and even 'giveaway' their 'slaves'.
(They seem to have a funny bone too, poking fun at their ugly slaves in another post)

It was inevitable and only a matter of time someone thought of implementing this on the all-encompassing spy devices that are popularly known as smartphones.

So what's new about AndroRAT? We've seen Mobile RATs before

Even though this isn't the first instance of a mobile RAT we've seen, AndroRat somewhat 'lowers the bar' for making a career as an Android hacker.

Although AndroRat itself is open source can be easily found online, tools to package AndroRat into legitimate applications are making news in underground forums. These tools, called "binders", mainly allow the Trojanization of regular applications. A binder can be bought for as less as $37, as can be seen advertised in this YouTube video. The thread on hackforums linked in the description is seen in the screenshot below.

If you take the time out to read the thread, you'll see a couple of interesting questions/requests from buyers, including someone who wanted to know if it could be used to bind AndroRat to Google Apps.

AndroRAT Binder Fig : A screenshot of a thread where AndroRAT Binders are being sold.

What do these Binders do exactly?

  • 1. Trojanization of legitimate applications by combining them with AndroRat into a common package. Some examples of Trojanized applications we have encountered include
    • Games : 'Angry Birds', 'Plants vs. Zombies', 'Worms Armageddon 3'
    • Task management applications : 'Smart System Info', 'Advanced Task Manager'
    • 'PG Calculator Pro'
    • 'IAP Cracker'
    • 'TuneIn Radio'
    (If these applications sound familiar, you should probably have a look at the services running on your phone - "" being the service associated with AndroRat that you need to watch out for)
  • 2. Specification of the IP address of the attacker that AndroRat should connect to

<br/> What happens to my phone if it's infected?

Visibly? Nothing.
The malware launches itself silently in the background every time the phone is switched on. However, an attacker could control your phone to perform functions like : - Displaying alerts on the infected phone - Switching on the phone camera, taking a picture and sending it to the attacker - Causing the infected phone to vibrate - Opening the phone's browser to display a specific URL - Making phone calls from the infected phone - Sending out SMS from the infected phone without any visible signs - Call and SMS monitoring - Retrieving call and SMS logs - Retrieving Contact information - Downloading files from the victim's phone to the attacker's server.

The video below demonstrates how an Angry Birds application Trojanized with AndroRat can be directed from a remote server to perform some of these actions

Thanks to Reverse NaM for helping with minor, yet colossal, errors during the demo setup.

What is Fortinet doing about this?

Fortinet currently has 100+ signatures for this RAT that is detected as Android/AndroRat.A!tr.spy - detailed in our Threat Encyclopedia Description. All samples use code from a project called androrat, that was originally developed by some students as part of a university project.

So, the next time you're home alone on your computer/mobile, you might have more than that monster in your closet or under your bed watching you.

Join the Discussion