Android/AndroRat.A!tr.spy
Analysis
Android/AndroRat.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package that can be bound with different legitimate packages using binders.
The Trojan can be used to spy on the user's data such as GPS information, Contacts, Directory listings and contents, saved files, call logs and SMS history. It can also enable the phone to perform functions such as record audio, take a picture, display a popup on the user's phone, open a URL in the phone's browser, cause the phone to vibrate, make a phone call, send out SMS etc.
Technical Details
The Remote Access Trojan comes bundled with several different kinds of applications.
The malicious activity comes in the package "my.app.client"
When launched, the RAT homescreen looks like the image seen in Fig1
Fig1 : AndroRAT Launch Screen
This options allows the specification of a user-defined IP and Port as opposed to the default values that can be seen in the screenshot.
Clicking on the Start Service button results in starting the main Client service that listens for commands and processes them.
Interestingly enough, the malware makes use of a multiplexed channel during communication with the attacker's server. The Trojan supports 4 kinds of packets for communication with the server
TransportPacket = {totalLength, localLength, last, NumSeq, channel, data} - This is the generic format for all data exchanged between the client and the server. The Command Packets described below are packaged as a TransportPacket before sending.
CommandPacket = {command, argument, channel} - These packets contain commands for the RAT from the attacker's server and are described in further detail in the table below.
LogPacket = {data, type, message} - These packets are sent by the client to the server as logging information for the functions it performs
PreferencePacket = {ip, port, waitTrigger, phoneNumberCall, phoneNumberSMS,, keywordSMS} - These packets are exchanged between the client and the server whenever changes in configuration are made where
- ip, port = IP address, Port that the attacker is listening for connections on
- waitTrigger = Flag that when set, tells the server to wait for events from the client to establish the connection. In short, the SMS and Call receivers are turned off and the server is contacted only when initiated by the client.
- phoneNumberCall = Phone number that calls should be monitored for
- phoneNumberSMS, keywordSMS = Phone Number, Keyword that SMS messages should be monitored for
The service listens for commands from the remote server that are received in the format
command + arguments + channel_number
The table below describes the commands and the corresponding actions performed
Command (+ arguments) | Function performed | Log Packet Contents |
101 + "network"/"gps" | GET_GPS_STREAM - activates the GPSListener that sends out location information | "Location request received" |
102 | STOP_GPS_STREAM - Stops the GPSListener | "Location stopped" |
103 | GET_PICTURE - Switches on the camera on the infected phone, takes a picture and sends it to the attacker's server | "Photo picture request received" |
104 | GET_SOUND_STREAM - Starts the AudioStreamer that records audio on the victim's phone and periodically sends recorded data to the attacker's server | "Audio streaming request received" |
105 | STOP_SOUND_STREAM - Stop the AudioStreamer | "Audio streaming stopped" |
106 | GET_VIDEO_STREAM | |
107 | STOP_VIDEO_STREAM | |
108 | GET_BASIC_INFO | |
109 + [Text] | DO_TOAST - Displays a Toast on the phone's screen with message as in [Text] | - |
110 | MONITOR_SMS - Starts monitoring SMS on the phone. | "Start SMS monitoring" |
111 | MONITOR_CALL - Starts monitoring calls on the phone. | "Start monitoring call" |
112 | GET_CONTACTS - Retrieves the list of contacts on the phone and sends it to the attacker's server | "Contacts request received" |
113 | GET_SMS - Retrieves the list of SMS messages on the phone and sends it to the attacker's server | "SMS list request received" |
114 + [DIR] | LIST_DIR - Retrieves the file listing of the directory DIR | "List directory request received" |
115 + [FILE] | GET_FILE - Retrieves the file FILE from the victim's phone to the attacker's server | "Download file " + [FILE] + " request received" |
116 + [NUM] | GIVE_CALL - Calls the number NUM from the victim's phone. | - |
117 + [NUM] + [MSG] | SEND_SMS - Sends out an SMS to the number NUM with contents MSG from the victim's phone | "SMS sent" |
118 | GET_CALL_LOGS - Retrives call logs from the victim's phone and sends them to the attacker's server | "Call log request received" |
119 | STOP_MONITOR_SMS - Stops SMS Monitoring on the victim's phone | "SMS monitoring stopped" |
120 | STOP_MONITOR_CALL - Stops Call Monitoring on the victim's phone | "Call monitoring stopped" |
121 | GET_ADV_INFORMATIONS - Retrieves information about the phone such as Phone Number, IMEI, Software Version, SIM card details, Network status, Build.RELEASE, Build.SDK_INT, names of available sensors etc. and sends it to the attacker's server | - |
122 + [URL] | OPEN_BROWSER - Opens the address specified by URL in the browser on the infected phone. | - |
123 | DO_VIBRATE - Enables the phone to vibrate | - |
5 | DISCONNECT | - |
Permissions required by the application:
- RECEIVE_SMS
- READ_SMS
- SEND_SMS
- READ_PHONE_STATE
- PROCESS_OUTGOING_CALLS
- ACCESS_NETWORK_STATE
- ACCESS_FINE_LOCATION
- INTERNET
- RECORD_AUDIO
- WRITE_EXTERNAL_STORAGE
- CAMERA
- RECEIVE_BOOT_COMPLETED
- CALL_PHONE
- READ_CONTACTS
- VIBRATE
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |