New campaign spreading Android Remote Access Trojan
SonicWall Capture Labs Threat research team recently discovered a malware campaign that utilizes a Remote Access Trojan (RAT) with enormous capabilities, including keylogging, stealing sensitive device information, bypassing Google Authenticator, etc. These features allow the attacker to access and steal valuable information from the victim’s device, which can lead to various types of fraud, including financial fraud and identity theft.
This malware uses icon masquerading, a common tactic used by malware authors to evade detection and deceive users. The technique involves using the icons of legitimate and popular apps as a disguise for malicious apps. This allows the malware to blend in with other apps on the device and avoid suspicion.
After installation, the malware prompts the victim to enable the Accessibility Service on the targeted device. If the victim grants permission, the malware then takes advantage of the Accessibility Service to perform malicious activities without the user’s knowledge.
Accessibility service usage is shown below:
Fig2: Accessibility permission
We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.
Fig3: Latest samples found on VT
The malware requests 34 permissions, some of the critical permissions used in these apps are mentioned below:
The components mentioned in the manifest file are absent from the compiled dex file.
Fig4: Mismatched components in the manifest file
During execution, the malware unpacks the “PFf.so” file from the assets section and drops it into the application system folder.
Fig5: drops unpacked dex file in the application folder
The application hides its own icon so that it is not visible in the launcher’s app tray.
The threat actor uses the below functions to collect the device information like IMEI no, country code, device model, installed package name etc.
It stores the user’s details using Shared Preferences and tries to connect to the C&C server (hxxps://141[.]98[.]6[.]86)
Fig8: Package Installation list
The malware has the ability to download HTML phishing pages from the Command and Control (C&C) server and then inject them into a WebView, to steal sensitive information such as login credentials and credit card numbers.
Read incoming messages on a device and save them in JSON format.
Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.
The malware accepts commands from the C&C server allowing the malware author to send SMS and calls from the infected device.
The malware has integrated keylogging functionality by taking advantage of the Accessibility Service.
This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.
Fig15: Malware capture screenshots
It disables notifications by setting the interruption filter to “INTERRUPTION_FILTER_NONE”,
locks the device, and sets the ringer volume silent to remain unnoticed and silently reads the incoming notifications.
Fig16: Disable incoming notification
SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.
Indicators of Compromise (IOC):