Malware market peddles tools to exploit Android infections

The first tools to inject legitimate Android apps with open-source software that allows an attacker to control an infected smartphone remotely have been found in the criminal underground.

Symantec's discovery is the latest example of a growing market in commoditized services from highly specialized suppliers, similar to what has been available for years to commandeer and profit from infected Windows PCs.

mobile malware

The new tool, called a binder, costs $37, and is linked to a free remote access tool (RAT) that is growing in popularity. Known as AndroRAT, the open-source software was first released in November 2012.

The binder simplifies the process of repackaging a legitimate app with AndroRAT. Once the malware makes contact with the command and control (C&C) server, a criminal can use a customer friendly control panel to monitor and make phone calls, send text messages, use the smartphone's camera and microphone, access files and get the device's GPS coordinates, Symantec said last week.

AndroRAT is packaged as an APK, which is the standard application format for Android. The AndroRAT-binder combo allows attackers with limited expertise to infect a legitimate app that's more likely to get permission to access smartphone data and services.

"All we're seeing right now is just a maturing evolution of a landscape that is allowing lesser technical people to come in and try their hand at some of this criminal activity themselves," said Vikram Thakur, principal manager at Symantec Security Response.

Wider use expected

Symantec has counted nearly two-dozen popular apps carrying AndroRAT. To date, only several hundred phones have been infected, mostly in the U.S. and Turkey.

Symantec expects that number to rise as the sophistication of AndroRAT increases. "As time goes on there will be a lot more tools available, possibly some even cheaper, once the market gets flooded," Thakur said.

As an example of how AndroRAT is spreading, a commercial, Java-based RAT known as Adwind is being modified to incorporate an Android module based on AndroRAT code, Symantec said.

Adwind also comes with a user-friendly interface. Because it is written in platform-agnostic Java, versions of the malware have been developed for other operating systems.

While availability of effective malware is a factor, a lot more has to happen before Android reaches Windows' level of profitability as a platform for criminal activity.

Follow @TechHive on Twitter today.

Subscribe to the Tablet Tips & Trends Newsletter

Comments