Efficient Android Remote Access Trojan Harvesting Credentials

Overview

The SonicWall Capture Labs threat research team has been regularly sharing information about malware targeting Android devices. We’ve encountered similar RAT samples before, but this one includes extra commands and phishing attacks designed to harvest credentials.

This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices. This malicious app uses any of the following icons:

Figure 1: The app icon used by the malware.

Figure 2: Installed malicious app

Infection Cycle

After the malicious app is installed on the victim’s device, it prompts the victim to enable two permissions:

  • Accessibility Service
  • Device Admin Permission

By requesting these permissions, the malicious app aims to gain control over the victim’s device, potentially allowing it to carry out harmful actions or steal sensitive information without the user’s awareness or consent.

Figure 3: Prompt for accessibility permission

Figure 4: Device admin activation

The malicious app establishes a connection with the Command-and-Control server to receive instructions and execute specific tasks accordingly.

Here are some of the commands received from the malware’s Command-and-Control (C&C) server:

Command Description
dmpsms Read Messages
dmpcall Read Call logs
dmpcon Device Contact list
getpackages Installed package name
changewall Change device wallpaper
toasttext Notification data
opweb Open URLs on web browser for phishing
vibratedev Vibrate device
sendsms Send messages
tont Turn on the camera flashlight
tofft Turn off the camera flashlight

The resource file contains the URL of the C&C server, but it was not active during the analysis.

Figure 5: C&C server

Here you see it receiving commands from the C&C server to access a specific URL in the browser to harvest credentials.

Figure 6: Browser to open specific URL

Some malicious HTML files related to well-known Android applications are in the ‘assetwebsite’ folder, as shown in the figure below:

Figure 7: Fraudulent HTML Pages

Figure 8: Instances of fraudulent HTML page -1.

Figure 9: Instances of fraudulent HTML page -2.

In these HTML files, the attacker prompts the victim to enter their user ID and password into the input fields.

Figure 10: Retrieves user input

After taking credentials using JavaScript, it collects and shares all the user information to the ‘showTt’ function.

Figure 11: Collect user credential

It retrieves all phone numbers stored on the victim’s device.

Figure 12: Fetching contact List

It attempts to change the device’s wallpaper to a specific resource if the ‘str’ parameter matches the decrypted value, such as 0, 1, or 2.

Figure 13: Changing the Device Wallpaper

It retrieves information about installed apps on the victim’s device.

Figure 14: Collecting installed package info

The below code snippet utilizes the “CameraManager” to toggle the flashlight of the victim’s device’s camera to either on or off.

Figure 15: Camera flashlight on-off

It sends a message to a number based on input received from the C&C server.

Figure 16: Sending a message from the victim’s device

We also noticed that certain malicious files have been recently uploaded to malware-sharing platforms like VirusTotal.

Figure 17: Latest sample found on VT

SonicWall Protections

SonicWall Capture Labs provides protection against this threat via SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOCs)

0cc5cf33350853cdd219d56902e5b97eb699c975a40d24e0e211a1015948a13d

37074eb92d3cfe4e2c51f1b96a6adf33ed6093e4caa34aa2fa1b9affe288a509

3df7c8074b6b1ab35db387b5cb9ea9c6fc2f23667d1a191787aabfbf2fb23173

6eb33f00d5e626bfd54889558c6d031c6cac8f180d3b0e39fbfa2c501b65f564

9b366eeeffd6c9b726299bc3cf96b2e673572971555719be9b9e4dcaad895162

a28e99cb8e79d4c2d19ccfda338d43f74bd1daa214f5add54c298b2bcfaac9c3

d09f2df6dc6f27a9df6e0e0995b91a5189622b1e53992474b2791bbd679f6987

d8413287ac20dabcf38bc2b5ecd65a37584d8066a364eede77c715ec63b7e0f1

ecf941c1cc85ee576f0d4ef761135d3e924dec67bc3f0051a43015924c53bfbb

f10072b712d1eed0f7e2290b47d39212918f3e1fd4deef00bf42ea3fe9809c41

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post