Malware writers have become very adaptable, as evidenced by the rise of remote access tools (RAT) that run multiple operating systems along with the trend towards cyber crooks manipulating fully functional apps.
Lutz Blaeser, MD of Intact Security, cites AndroRAT as a perfect example of this. "The code for this tool has been publicly available for months at GitHub, a hosting service for software development projects, as well as at Google Code."
He says AndroRAT began as a university project, designed to enable the legitimate and legal management of Android mobile devices. Because of this, it could be used in the end-point management area or in connection with the BYOD concept. An administrator could manage the installation of apps, manage contact lists and such-like.
"AndroRAT is user-friendly and easily adapted to user requirements," he adds. "However, the down side of this is that malware authors also enjoy its user-friendliness and have jumped on the bandwagon, and found ways to exploit AndroRAT for their own gains."
One example of this, according to Blaeser, is the recently uncovered "binder" tool that adds a whole new dimension to the RAT threat.
"When used together with the AndroRAT APK binder, AndroRAT allows even a fairly inexperienced hacker to automate the process of infecting any legitimate Android application with AndroRAT, essentially 'Trojanising' a legitimate app."
Blaeser points out that Android APK Binder essentially adds another access point to a legitimate app so that, when the device is booted, the "AndroRAT" component and not the legitimate app is opened in the background. From that moment, the device is part of a botnet and the attacker, therefore, has full control over it, and can read contacts, the call list, SMS and MMS messages, locate the device through GPS - pretty much anything the user can do.
"The risk for Android mobile devices is on the rise globally, as clearly illustrated by rising detection numbers and the proliferation of newly detected malware files," explains Blaeser.
He states G Data recently released a half-year report on mobile malware that revealed that the number of new malware samples rose dramatically in the first half of 2013 with 519 095 new malware files compared to 185 210 in the same half of the previous year.
"On average, G Data SecurityLabs uncovered 2 868 new Android malware files daily," notes Blaeder. "The binder tool is only one example. The rapid growth of malware for mobiles can be attributed at least in part, to the availability of malware kits, which enable even inexperienced malware programmers to create functioning, manipulated apps using a type of modular system."
He says the report revealed that only a few Android.Backdoor.AndroRAT samples have been detected so far, but that G Data is expecting significant developments in this area. One example he cites, is Backdoor Obad.A, a highly sophisticated malware that was first spotted in China this June.
According to the G Data report, the malware exploits three security vulnerabilities for its attacks - a previously unknown vulnerability in the Android operating system, an error in a tool called Dex2Jar and an error in Android's handling of the file AndroidManifest.xml. The latter two aim at making analysis of the malware tricker.
Once a device is infected, the cyber criminal is in full control. Blaeser says Obad.A is particularly devious, as it extremely difficult to remove once it has been installed, and it conducts its business on the sly, invisible to the user.
"Obad.A's functional scope, sophisticated obfuscation of the code and the quick exploitation of vulnerabilities are all considered characteristics of Windows malware."
He concludes that this is a clear sign that the future will bring not only more threats for Android, but threats that are more sophisticated, elaborate and tricky for security professionals to fight.
Share