Cyble-RAT-Trojan

New malware Campaign delivers Android RAT

Sophisticated RAT spying on Mobile Devices

During our routine threat hunting exercise, Cyble Research Labs came across several Android malware samples with similar code targeting Android users via RAT activities.

These samples mostly use the names and icons of legitimate applications or organizations such as Invoice.apk, Google.apk, prueba.apk, ZiniTevi.apk, and cisamu.apk to lure the users into executing them.

Based on our intelligence, we identified that this variant had surfaced frequently in the wild in the last few months. This new campaign has been active since March 2022, and we observed over 200 samples from the same variant targeting Android users.

We identified several sophisticated features in this malicious app. By leveraging these features, the app can steal data such as clipboard data, device info, SIM details, device IP, SMSs, device location, call logs, device MAC Address, etc. The application can also record video and audio, read SMS and take pictures from the camera as well.

Technical Analysis

APK Metadata Information

  • App Name:  Google Service Framework
  • Package Name: com.example.reverseshell2
  • SHA256 Hash: 11940887451fb4e8249b88c4730e5251a0fd6b2f7648574f7b0fedc948b4c2c7

Figure 1 shows the metadata information of an application.

Figure 1 – App Metadata Information

The figure below shows the application icon and name displayed on the Android device.

Figure 2 – App Icon and Name

Manifest Description

The malware requests users for 18 different permissions, of which it abuses 9. These dangerous permissions are listed below.

PermissionsDescription
ACCESS_WIFI_STATEAllows the app to get information about Wi-Fi connectivity.
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the device’s external storage.
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage.
READ_SMSAccess phone messages.
RECORD_AUDIOAllows the app to record audio with the microphone, which has the potential to be misused by attackers
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi.
ACCESS_FINE_LOCATIONAllows the device’s precise location to be detected by using the Global Positioning System (GPS).
READ_CALL_LOGAccess phone call logs.
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.

Source Code Review

Our static analysis indicated that the malware steals the information from the infected device based on the commands received from the Command and Control (C&C) server.

While launching the application for the first time, it hides its icon from the device screen and runs silently in the background. The below code snippet is used to hide the app icon.

Figure 3 – Code to Hide App Icon

After execution, the malware monitors the user’s clipboard activity, steals any data copied over to the clipboard, and sends it to the C&C server. The malware uses the code shown in Figure 4 to grab the clipboard data.

Figure 4 – Code to Grab Clipboard Data

The malware identifies the number of cameras present in the device and enumerates this data point to gain information about them. The malware can then use these identified cameras to capture images from the victim’s device.

Figure 5 – Code to Get Camera Info

The malware executes the deviceInfo() method to collect information about the victim’s device, such as manufacturer, model and brand details, etc. as shown in the figure below.

Figure 6 – Code to Get Device Info

The malware calls the getPhoneNumber() method to collect information about SIM details, IMEI number, mobile number, call state, etc.

Figure 7 – Code for Collect SIM Info

Using built-in code, the malware can also identify the IP address of the infected machine, as shown in Figure 8.

Figure 8 – Code to Get IP Address

By collecting the victim’s SMS data, the Threat Actors can perform various malicious activities such as stealing contact details, bypassing Two-Factor-Authentication, etc.

Figure 9 – Code to Get SMSs

Upon receiving a command from the C&C server, the malware steals the device’s location through GPS and any connected networks.

Figure 10 – Steals Device Location

Based on the commands received from the TA’s C&C server, the malware can also record audio using the devices microphone ,as shown in the below code snippet.

Figure 11 – Code to Record Audio

The code present in Figure 12 demonstrates the malware’s ability to record video using the device camera.

Figure 12 – Code Record Video

Figure 13 showcases the code through which the malware can steal calllogs from the infected device. Further, this collected data can be used for various malicious activities such as Smishing.

Figure 13 – Code to Steal CallLogs

The code in the below snippet depicts the malware’s capability to gain access to the device’s MAC address.

Figure 14 – Code to Get Device’s MAC Address

The malware communicates with the Android device via the C&C URL: 8[.]tcp.ngrok.io:19742 as shown below.

Figure 15 – C&C URL

We have listed the commands used by the TAs to control the infected device below:

CommandDescription
camListCollects Camera List (Front & Back)
takepicTakes Picture from Camera
getClipDataCollects Clipboard Data
deviceInfoCollects Device Info
getSimDetailsCollects SIM Details
getIPCollects Device IP
getSMSCollects SMS Data from Device
getLocationCollects Device Location
startAudioStarts Audio Recording
stopAudioStops Audio Recording
startVideoStarts Video Recording
stopVideoStops Video Recording
getCallLogsCollects CallLogs
getMACAddressCollects Device Mac Address

Conclusion

The volume and sophistication of Cyberattacks on Android users are increasing daily. This malware category is one such example of an Android application pretending to be legitimate and performing RAT activities behind the scenes.

According to our research, these types of malware are only distributed via sources other than Google Play Store. As a result, practicing basic cyber-hygiene across mobile devices and online banking applications is a good way to prevent malware such as this from compromising your devices.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
ExecutionT1575Native Code
CollectionT1433Access Call Log
CollectionT1412Capture SMS Messages
CollectionT1429Capture Audio
CollectionT1512Capture Camera
CollectionT1533Data from Local System
CollectionT1430Location Tracking
Command and ControlT1436Commonly Used Por

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
42c03ec2513311a338d15456e2a2a880MD5RAT APK
c45015ac27031ba2e1aaabed3efe00cefa6cc607SHA-1RAT APK
11940887451fb4e8249b88c4730e5251a0fd6b2f7648574f7b0fedc948b4c2c7SHA-256RAT APK
4685a80d940cb14a3b1165ddeca51637MD5RAT APK
5a74272d938074a6ca5280aaad721b30c32e832fSHA-1RAT APK
3737d32ca2ba4833d962689d27e4475a73119127c2fed5196aafca86a559a731SHA-256RAT APK
4d9181087dceab78a0128c124f5a52f6MD5RAT APK
8f61bb17de21bb3b922b946d937239c308635cf4SHA-1RAT APK
e7fe356431ff57d1c4781ef3912639cd4b7a58075b0376c5bf2fcf94b7757ee2SHA-256RAT APK
030351538f178f213d787396f88ac159MD5RAT APK
604ff7a11e793ec741d29ca907d84883ef6e26cbSHA-1RAT APK
e83d3384889ca8d0a387dbd3e8ac1d677b6695b07f73f42c2b0947cc2423d602SHA-256RAT APK
545d3494d269b90dea6729cb05123d80MD5RAT APK
ff4da99e4107c18cbf31fb0998526a771c4a875cSHA-1RAT APK
749090139d56cd119fb2fda2d3faa0d0361b35a6889decb0d45a3677166aab0fSHA-256RAT APK
Scroll to Top