Cyble-AIRAVAT

AIRAVAT Malware Targeting Android Users

Sophisticated RAT capable of performing Ransomware Attacks

While conducting our routine Open-Source Intelligence (OSINT) research, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an opendir website “hxxp://blindajeseguro[.]online,” which was hosting a malicious Android application.

Upon analyzing the application, we observed that the Threat Actor (TA) was using the source code of the “Pro” version of AIRAVAT RAT, which the TA may have bought from the AIRAVAT author.

Figure 1 – Opendir website hosting Android malware

AIRAVAT is a multifunctional Android RAT with a web panel without port forwarding. The source code of AIRAVAT’s basic version is available on Github, while the Pro version’s source code is not publicly available.

The below figure compares the malware’s Basic and Pro features.

Figure 2 – Android malware executing Pro version command

Our research has identified over 100 samples related to this RAT since April 2022 alone, indicating that the malware is already being widely deployed and distributed.

Cyble Research Labs continuously monitors applications using this open-source RAT project to perform malicious activities. In April 2022, we came across the Telegram channel where a TA named “Sphanter” was selling an Android RAT for $199. The TA posted multiple malicious APK files, including “Teat version.apk,” which contained the source code to the Pro version of AIRAVAT RAT.

Figure 3 – Test version RAT posted by TA

Typically, the TA uses open-source Github projects or the purchased Pro version(s) from the original author, modifies the source code according to their requirements, and sells the malware on different platforms.

During our research, we observed AIRAVAT RAT being promoted on various cybercrime forums with the disclaimer

“TO BE USED FOR EDUCATION PURPOSE ONLY.”

Figure 4 – AIRAVAT RAT promoted on Hacker’s forum

Our research indicates that the RAT has an extremely simplified structure and is easy to set up despite having immensely powerful functionalities, which could explain its popularity among TAs who are purchasing and using it. These functionalities have been discussed in detail in the Technical Analysis section.

Technical Analysis

APK Metadata Information  

  • Package Name: sigma.male
  • SHA256 Hash: ab91fcca30556555b8fe6128075c80c3bd906eed5facdc57f2e493ddbb37f779

  

Figure 5 shows the metadata information of the malicious application. 

Figure 5 – App Metadata Information

Manifest Description 

The malicious app mentions 21 permissions in the manifest file, of which the TA takes advantage of 10. The malware’s harmful permission request is as follows: 

Permission  Description 
WRITE_CALL_LOGAllows an application to write (but not read) the user’s call log data.
CAMERARequired to be able to access the camera device.
READ_CALL_LOGAllows an application to read the user’s call log.
READ_CONTACTSAllows an application to read the user’s contact data.
READ_EXTERNAL_STORAGEAllows an application to read from external storage.
WRITE_EXTERNAL_STORAGEAllows an application to write to external storage.
RECORD_AUDIOAllows an application to record audio.
READ_SMSAllows an application to read SMS messages.
RECEIVE_SMSAllows an application to receive SMS messages.
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call

Source Code Review 

The application is not visible on the device as it has no icon and runs silently in the background after installation. The malicious application further connects to the firebase Command and Control (C&C) server to receive the commands from TA to perform the specific attack on the victim’s device, as shown below.

Figure 6 – List of commands received from the C&C server

The getAllSMS() method is used by the malware to collect all the SMS data from the victim’s device and send it to the C&C server.

Figure 7 – Collecting SMSs upon receiving the C&C server command

After receiving the command Dmpcall, the malware collects the call log data and sends it to the C&C server, as shown below.

Figure 8 – Collecting Call Log data

The malware can receive different shell commands from the C&C server and execute them on the victim’s device. TAs execute these shell commands to perform actions such as opening/terminating applications, monitoring network, and file activities, etc.

Figure 9 – Executing shell commands

The malware has the code to send an SMS from the victim’s device, whereas the recipient number and SMS content are provided by the TA’s C&C server, as shown in the image below.

Figure 10 – Sending an SMS from the victim’s device

The malware uses the method _voicere() to start recording audio using a media recorder and send these recordings to the TA’s C&C server.

Figure 11 – Recording audio on the server command

The TA sends the command ransom1 to encrypt the files on the victim’s machine; after file encryption, the ransom message, including the ransom amount, is displayed on the victim’s device via notifications.

Once the victim pays the ransom amount, the TA can send a command ransom2 to decrypt the victim’s files.

Figure 12 – Ransomware module executes upon receiving the server command

The malware uses the code below to capture images using the victim’s device camera and to send the captured images to the C&C server.

Figure 13 – Capturing photos by accessing the camera

The TA sends the command delfile along with the file name to delete specific files on the victim’s device, as shown below.

Figure 14 – Malware deletes targeted file received with the command

The TA can use the command openweburi to send phishing URLs to steal the user’s sensitive information, such as credentials.

Figure 15 – Code used for a phishing attack

Along with the aforementioned features, the malware can also change the wallpaper of the victim’s device, play random music, vibrate the device, perform keylogging, and gather SIM card information.

The commands used by the malware are:

Command Description 
dmpsmsCollects SMS data 
dmpcallCollects Call logs
dmpcontCollects Contact list 
getpackagesCollects installed application package names 
shellcmdExecute shell commands
deviceinfoCollects device info  
toasttextCollects toast notification data 
ttsdevExecutes text to speech
vibratedevVibrates device
playsmusicPlay random music 
sendsmsSends SMS from victims’ device
changewallLaunches the defined URL 
voicerecRecords audio
encryptEncrypts files
decryptDecrypts files
ransom1Ask for ransom and encrypt files
ransom2Decrypt files after receiving
capturecamCaptures camera images
delfileDeletes file from victim’s device
simcardinfoCollets Simcard info
openweburiOpen phishing page

Conclusion

Telegram has emerged as a rising marketplace for TAs to sell malware and run different malicious campaigns. Our research indicated that TAs leverage open-source projects and sell them on Telegram channels and other platforms for financial gain. In the past, we have seen the TAs using the leaked source code of several tools such as Spynote, SpyMax RAT, and many more.

Cyble Research Labs continuously monitors the use of such open-source projects being leveraged by TAs for any malicious intent, and we will keep our readers aware and informed.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform a factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank.

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
CollectionT1412Capture SMS Messages
CollectionT1432Access Contact List
CollectionT1433Access Call Logs
CollectionT1429Capture Audio
CollectionT1533Data from Local Storage
CollectionT1512Capture Camera
ImpactT1447Delete Device Data
Input CaptureT1417Input Capture
CollectionT1436Commonly used ports

Indicators Of Compromise (IOCs)

IndicatorsIndicator TypeDescription
ab91fcca30556555b8fe6128075c80c3bd906eed5facdc57f2e493ddbb37f779SHA256Hash of the analyzed APK file
faed58d2c8e8931e3e78cda0835d3851d13e295eSHA1Hash of the analyzed APK file 
6fac9478a54847894dd18a4dd872193eMD5Hash of the analyzed APK file
hxxp://blindajeseguro[.]online/URLMalware distribution site
hxxps://jhon-30119-default-rtdb[.]firebaseio.comURLC&C server
1d3be2cf4af7b2a976f17c6e3f09c925171c7496706aefd4518cd0de772bf2e6SHA256Hash of the analyzed APK file
d343bd8e54d0a5fbbb5ef95ba29e11169e0a6ed6SHA1Hash of the analyzed APK file
9518cc7b90498c97fa2644689cd7af05MD5Hash of the analyzed APK file
e2d37779a91da5bff2a066a614cb03d77fb2e17e36660ca838eab92b82d61440SHA256Hash of the analyzed APK file
d9eaf807b464dcd10ef4adf56253e5fc8d84ceceSHA1Hash of the analyzed APK file
c1b1be3d2060ba12de2bf1cab7a779a2MD5Hash of the analyzed APK file
hxxps://dragomitch[.]com/URLMalware distribution site
Scroll to Top