Android/AndroRat.A!tr.spy

Analysis

Android/AndroRat.A!tr.spy is a piece of malware targetting Android mobile phones.
The malicious package that can be bound with different legitimate packages using binders.
The Trojan can be used to spy on the user's data such as GPS information, Contacts, Directory listings and contents, saved files, call logs and SMS history. It can also enable the phone to perform functions such as record audio, take a picture, display a popup on the user's phone, open a URL in the phone's browser, cause the phone to vibrate, make a phone call, send out SMS etc.

Technical Details

The Remote Access Trojan comes bundled with several different kinds of applications.
The malicious activity comes in the package "my.app.client"
When launched, the RAT homescreen looks like the image seen in Fig1

Fig1 : AndroRAT Launch Screen
This options allows the specification of a user-defined IP and Port as opposed to the default values that can be seen in the screenshot.
Clicking on the Start Service button results in starting the main Client service that listens for commands and processes them.
Interestingly enough, the malware makes use of a multiplexed channel during communication with the attacker's server. The Trojan supports 4 kinds of packets for communication with the server
TransportPacket = {totalLength, localLength, last, NumSeq, channel, data} - This is the generic format for all data exchanged between the client and the server. The Command Packets described below are packaged as a TransportPacket before sending.
CommandPacket = {command, argument, channel} - These packets contain commands for the RAT from the attacker's server and are described in further detail in the table below.
LogPacket = {data, type, message} - These packets are sent by the client to the server as logging information for the functions it performs
PreferencePacket = {ip, port, waitTrigger, phoneNumberCall, phoneNumberSMS,, keywordSMS} - These packets are exchanged between the client and the server whenever changes in configuration are made where

• ip, port = IP address, Port that the attacker is listening for connections on
• waitTrigger = Flag that when set, tells the server to wait for events from the client to establish the connection. In short, the SMS and Call receivers are turned off and the server is contacted only when initiated by the client.
• phoneNumberCall = Phone number that calls should be monitored for
• phoneNumberSMS, keywordSMS = Phone Number, Keyword that SMS messages should be monitored for

The service listens for commands from the remote server that are received in the format

command + arguments + channel_number

The table below describes the commands and the corresponding actions performed

Command (+ arguments)	Function performed	Log Packet Contents
101 + "network"/"gps"	GET_GPS_STREAM - activates the GPSListener that sends out location information	"Location request received"
102	STOP_GPS_STREAM - Stops the GPSListener	"Location stopped"
103	GET_PICTURE - Switches on the camera on the infected phone, takes a picture and sends it to the attacker's server	"Photo picture request received"
104	GET_SOUND_STREAM - Starts the AudioStreamer that records audio on the victim's phone and periodically sends recorded data to the attacker's server	"Audio streaming request received"
105	STOP_SOUND_STREAM - Stop the AudioStreamer	"Audio streaming stopped"
106	GET_VIDEO_STREAM
107	STOP_VIDEO_STREAM
108	GET_BASIC_INFO
109 + [Text]	DO_TOAST - Displays a Toast on the phone's screen with message as in [Text]	-
110	MONITOR_SMS - Starts monitoring SMS on the phone.	"Start SMS monitoring"
111	MONITOR_CALL - Starts monitoring calls on the phone.	"Start monitoring call"
112	GET_CONTACTS - Retrieves the list of contacts on the phone and sends it to the attacker's server	"Contacts request received"
113	GET_SMS - Retrieves the list of SMS messages on the phone and sends it to the attacker's server	"SMS list request received"
114 + [DIR]	LIST_DIR - Retrieves the file listing of the directory DIR	"List directory request received"
115 + [FILE]	GET_FILE - Retrieves the file FILE from the victim's phone to the attacker's server	"Download file " + [FILE] + " request received"
116 + [NUM]	GIVE_CALL - Calls the number NUM from the victim's phone.	-
117 + [NUM] + [MSG]	SEND_SMS - Sends out an SMS to the number NUM with contents MSG from the victim's phone	"SMS sent"
118	GET_CALL_LOGS - Retrives call logs from the victim's phone and sends them to the attacker's server	"Call log request received"
119	STOP_MONITOR_SMS - Stops SMS Monitoring on the victim's phone	"SMS monitoring stopped"
120	STOP_MONITOR_CALL - Stops Call Monitoring on the victim's phone	"Call monitoring stopped"
121	GET_ADV_INFORMATIONS - Retrieves information about the phone such as Phone Number, IMEI, Software Version, SIM card details, Network status, Build.RELEASE, Build.SDK_INT, names of available sensors etc. and sends it to the attacker's server	-
122 + [URL]	OPEN_BROWSER - Opens the address specified by URL in the browser on the infected phone.	-
123	DO_VIBRATE - Enables the phone to vibrate	-
5	DISCONNECT	-

Permissions required by the application:

• RECEIVE_SMS
• READ_SMS
• SEND_SMS
• READ_PHONE_STATE
• PROCESS_OUTGOING_CALLS
• ACCESS_NETWORK_STATE
• ACCESS_FINE_LOCATION
• INTERNET
• RECORD_AUDIO
• WRITE_EXTERNAL_STORAGE
• CAMERA
• RECEIVE_BOOT_COMPLETED
• CALL_PHONE
• READ_CONTACTS
• VIBRATE

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.