Blog archive
Two men checking mobile phones with giant rat looking over their shoulders

AndroRAT signals commercialization of mobile malware

Mobile malware is not new. According to Juniper Networks’ Third Annual Mobile Threats Report,  there were more than 276,000 malicious apps for mobile devices discovered from March 2012 through March 2013. The Android platform, with an estimated two thirds of the mobile market share in 2012, is the target of 92 percent of that malware.

Now, researchers at Symantec have discovered a new wrinkle that combines a Remote Access Tool for Android devices with a kit that lets unskilled users easily repackage legitimate apps with AndroRAT to create Trojans. The new binder kit is being advertised in the hacker underground market as “first ever Android RAT app binder + builder.”

“To date, Symantec has counted 23 cases of popular legitimate apps being Trojanized in the wild with AndroRAT,” Symantec’s  Andrea Lelli wrote in a recent blog post.  Only several hundred infections of AndroRAT have been found worldwide, most of them in the United States and Turkey, but the number is growing.

AndroRAT enables control of the infected device, allowing the criminal to remotely monitor and make phone calls, send SMS messages, access GPS coordinates, use the camera and microphone and access stored files.

The appearance of AndroRAT packaged in an off-the-shelf kit for infecting applications is a significant step in the commercialization of mobile malware, said Vikram Thakur, Symantec’s principal security response manager.

“All this tool is doing is lowering the bar for people entering the malware space,” Thakur said. “But it’s only one piece of the puzzle.” The user “still has to figure out how to monetize it.”

Making money from malware for mobile devices has for years been a stumbling block for cyber criminals. The devices are increasingly popular and powerful, but do not offer as many opportunities for ripping users off as do desktop and laptop computers that are more often used in commerce. As much fun as it might be to take control of someone’s smartphone, there is not a lot of money in it.

But the ability to leverage malware in large mobile botnets can make it worthwhile. Common schemes are to deliver ads to the infected device, send premium text messages for which the smartphone owner is billed or to have the device browse a for-pay video site. These do not produce a big return on any one device, but Symantec discovered a large mobile botnet in 2012 that was pulling in more than $1 million a year for its owner, Thakur said.

“The bad guys are not trying to suck out as much money as they can on day one,” he said. They are staying under the radar, taking a few dollars a month from each victim for a small -- but long term -- return on investment.

The next phase in such schemes is to take products such as the AndroRAT binder one step further and bundle it with tools for hosting and delivering premium content to compromised devices: An all-in-one tool that can turn any wannabe into a successful mobile bot herder.

So far, it does not appear that this has been done, Thakur said. “If it is happening in the underworld, it is in a very siloed manner.” But he expects that we will see activity of this kind in the future.

The good news is that most mobile malware today is delivered in applications that have to be installed on a smartphone or other device, which means that the user is the first and best line of defense. You should have an antivirus tool installed on your phone, but be careful about what else you install on it.

“If somebody is offering you a free version of an app that you would have to pay for somewhere else, think twice,” Thakur said. “Nothing is free.”

Posted by William Jackson on Jul 19, 2013 at 9:54 AM

inside gcn

  • high performance computing (Gorodenkoff/

    Does AI require high-end infrastructure?

Reader Comments

Mon, Jul 22, 2013

CaptainAmerica is right on. I concur.

Sun, Jul 21, 2013 CaptainAmerica Albany, New York

It looks like the scare tactics (usually from vendors looking to sell overpriced do-nothing anti-virus software) are coming out of the woodwork again in search of Android device owners. I mean, I get that Android is definitely more vulnerable to malware than iOS, for example, but the problem is nowhere near epidemic levels. But most wouldn't know because when progress is made in the fight against malware, that never gets talked about. If Android is so infested, why didn't people jump for joy when Android mobile ad network Airpush partnered with Appthority a few months ago to wipe the threat of malware off its network of 100,000? That's big, especially since ad networks generally have inadequate filters for malware, if any. I think a lot of companies have been very responsible in their efforts to keep malware at bay. But those headlines just aren't as sexy now are they?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above


HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities

More from 1105 Public Sector Media Group