Mobile Android Trojan Gives Crackers Remote Control to User’s Phones

While there have always been consistent reports of vulnerabilities present in apps distributed on Google’s official Play Store, it seems that Linux security experts have pegged several in the last few days that are designed to run malware on end-user mobile devices. These apps are disguised as clean software according to reports filed on a cyber threat intelligence aggregation repository.

Android is an attractive target according to these researchers, since it’s become the dominant mobile operating system. New exploits rely largely on the fact that many Android users don’t run updated versions on their smartphones and tablets. In fact, proprietary hardware design in the mobile device industry often makes it difficult to upgrade existing hardware even when the underlying hardware will keep functioning for years.

HeroRAT, as the name suggests, is a remote access Trojan horse app that abuses Android’s telegram protocol to connect a client device with a remote C2 server. Since all traffic is technically filed as being between a trusted upload server and the end-user, this method doesn’t raise any red flags.

Source code for HeroRAT has been made publicly available, which should make it easier for Linux security experts to author mitigations for it. Ironically, crackers have actually sold some versions of the malware to other crackers and even gone so far as to offer support for it as though it were a legitimate app.

While selling cracking tools isn’t something new, this does appear to be a worryingly professional deployment of this kind of fringe business model.

In addition, a battery saver app recently deployed on the Google Play Store had tained code as well. It spreads via dialog messages that redirect users to its otherwise legitimate landing page on the Play Store. While it does function as legitimate power saving software, it also comes with a payload designed to silently click advertisements in order to send funds back to the operators.

Slightly over 60,000 devices reported some type of infection at the time cybersecurity experts filed their reports. Considering the large number of portable computers running Google Android, this is not a particularly large sample of people.

Nevertheless, it does help to illustrate how users should be cautious even with official apps.

Kamil Anwar
Kamil is a certified MCITP, CCNA (W), CCNA (S) and a former British Computer Society Member with over 9 years of experience Configuring, Deploying and Managing Switches, Firewalls and Domain Controllers also an old-school still active on FreeNode.