Malware threatens Android, uses Remote Access Trojan

Android remains at number one Operating System worldwide so also getting targeted by Malware creators.

In 2013 about 98 percent of all malware detected were targeted android platform  making it as a prime target for malicious attacks.

Various techniques are being used to target android users. Spammers are using phishing technique to spread android malwares. Mobile Antivirus companies and their research labs are reporting several variants of android malwares.

SandroRAT is a new android malware variant of RAT (remote access trojan). Recently attackers spread SandroRAT using phishing techniques to target victim by sending email with subject like

“Caution! Detected malware on your phone!”

And having download link or attached apk of malware with mail. The sample received by McAfee Labs from customer in Poland with the name Kaspersky_Mobile_Security.apk Phishing mail with following attachment:

Phishing mail

The body of the message states that the bank is providing the attached free mobile security application to detect malware that steals SMS codes (mTANs) for authorizing electronic transactions. However, the attached application is in fact a version of the Android RAT SandroRat, which was announced at the end of the last year in the Hacking Community HackForums. The RAT and its source code are for sale, making it accessible to everyone to create a custom version of this malware.

SandroRAT malware has functionality to decrypt WhatsApp encrypted chats, latest version of WhatsApp uses encryption scheme (crypt 7) so decryption routines of malware will not work with latest version of WhatsApp. WhatsApp user should update the app to latest version.


What Android RAT Malware can do on your Android phone?

  1. Steal sensitive personal information such as contact list, SMS messages (inbox, outbox, and sent), call logs (incoming, outgoing, and missed calls), browser history (title, link, date), bookmarks and GPS location (latitude and longitude).
  2. Intercept incoming calls and record those in a WAV file on the SD card to later leak the file.
  3. Update itself (or install additional malware) by downloading and prompting the user to install the file update.apk.
  4. Intercept, block, and steal incoming SMS messages.
  5. Send MMS messages with parameters (phone number and text) provided by the control server.
  6. Insert and delete SMS messages and contacts.
  7. Record surrounding sound and store it in an adaptive multi-rate file on the SD card to later send to a remote server.
  8. Open the dialer with a number provided by the attacker or execute USSD codes.
  9. Display Toast (pop-up) messages on the infected device.


What precautions android users should take ?

  • Ignore threatening security warning emails as antivirus companies do not send such emails.
  • Don’t download android applications from untrusted source.
  • Check the permissions of application before installing.
  • Always keep your operating system secure by downloading and applying any security patches released by your smart phone vendors.

Source: McAfee

Varutra has developed a mobile application for checking vulnerabilities on the mobile operating system of your smartphone. Access the MVD application from or download MVD app android version from Google Play.

Author: Snehal Raut

Security Consultant,

Varutra Consulting