Why are we discussing pest control on a security blog?
Anyone who is remotely aware of internet security would know that Remote Access Tools (RATs) are not new to the internet. The concept is not new, but its implications don't fail to make my brain flip every time I think of it.
A good idea of how 'personal' these can get is described in this very interesting piece Arstechnica did earlier this year on RAT breeders and how they discuss, amass and even 'giveaway' their 'slaves'.
(They seem to have a funny bone too, poking fun at their ugly slaves in another post)
It was inevitable and only a matter of time someone thought of implementing this on the all-encompassing spy devices that are popularly known as smartphones.
So what's new about AndroRAT? We've seen Mobile RATs before
Even though this isn't the first instance of a mobile RAT we've seen, AndroRat somewhat 'lowers the bar' for making a career as an Android hacker.
Although AndroRat itself is open source can be easily found online, tools to package AndroRat into legitimate applications are making news in underground forums. These tools, called "binders", mainly allow the Trojanization of regular applications. A binder can be bought for as less as $37, as can be seen advertised in this YouTube video. The thread on hackforums linked in the description is seen in the screenshot below.
If you take the time out to read the thread, you'll see a couple of interesting questions/requests from buyers, including someone who wanted to know if it could be used to bind AndroRat to Google Apps.
Fig : A screenshot of a thread where AndroRAT Binders are being sold.
What do these Binders do exactly?
<br/> What happens to my phone if it's infected?
The malware launches itself silently in the background every time the phone is switched on. However, an attacker could control your phone to perform functions like : - Displaying alerts on the infected phone - Switching on the phone camera, taking a picture and sending it to the attacker - Causing the infected phone to vibrate - Opening the phone's browser to display a specific URL - Making phone calls from the infected phone - Sending out SMS from the infected phone without any visible signs - Call and SMS monitoring - Retrieving call and SMS logs - Retrieving Contact information - Downloading files from the victim's phone to the attacker's server.
The video below demonstrates how an Angry Birds application Trojanized with AndroRat can be directed from a remote server to perform some of these actions
Thanks to Reverse NaM for helping with minor, yet colossal, errors during the demo setup.
What is Fortinet doing about this?
Fortinet currently has 100+ signatures for this RAT that is detected as Android/AndroRat.A!tr.spy - detailed in our Threat Encyclopedia Description. All samples use code from a project called androrat, that was originally developed by some students as part of a university project.
So, the next time you're home alone on your computer/mobile, you might have more than that monster in your closet or under your bed watching you.