AndroRAT is just one of the numerous open-source tools that was created and published on the undergroud forums to allow the hack of Android mobile devices.
AndroRAT is an open-source tool that was created and published on the Internet in November 2012, it is a RAT (Remote Access Tool) for Android OS and exactly as any other RATs, it allows a remote attacker to control the victim. Usually the RATs have a user friendly control panel that makes possible the control of victims, in the same way AndroRAT can control, make phone calls and send SMS messages of infected devices, it is also able to get its GPS coordinates, access to files stored on the handset and activate and use the microphone and camera. The fact that Android OS has increased its popularity has had as consequences an increase of malicious code developed for the Google’s platform, RATs included.
The RAT comes in the form of an APK which is the standard application format for Android. When used in conjunction with the AndroRAT APK binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus Trojanizing the app. When the Trojanized version of the legitimate app is installed on the device, the user unsuspectingly installs AndroRAT alongside the legitimate app they intended to install. This allows the attacker to circumvent elements of the Android security model through deception. To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT.
Subsequently, we have also spotted a commercial Java RAT named Adwind (Backdoor.Adwind) that already supports multiple operating systems and seems to be in the process of incorporating an Android module based off the AndroRAT open source code. Again, this RAT also features a graphical user interface allowing the attackers to manage and control the RAT remotely.
A demonstration video that shows Adwind working with Android also shows the presence of AndroRAT on the infected phone, suggesting that the authors of Adwind may be customizing the AndroRAT tool to incorporate it into Adwind. This development comes as no surprise, as the open source nature of the AndroRAT code means it can be easily customized into new threats and tools.
At present, Symantec telemetry shows only several hundred infections of Android.Dandro worldwide, with the United States and Turkey being the most targeted countries. However, the telemetry is reporting a rise in infection numbers as of late, which we expect will continue as both the availability and sophistication of tools for AndroRAT increase.
Google is aware of the wave of attacks that is targeting Android OS, it has recently published on its official blog a few suggestions on how to protect user’s mobile devices:
1. Lock your device screen.
2. Protect your phone from suspicious apps.
3. Locate, ring and wipe a misplaced device.