santiago silver - Fotolia

Italian-based Android RAT spies on mobiles in Japan and China, say researchers

Researchers discover an Italian-based Android RAT designed for spying that is targeting mobile devices using their unique identification codes

Security researchers have discovered an Android remote access Trojan (RAT) that is targeting specific rooted mobile devices in China and Japan.

The RAT appears to be designed as a spy tool with the ability to take screenshots, listen in on phone calls and upload the data to command and control (C&C) servers based in Italy, according to researchers at security firm Bitdefender.

The researchers believe that up to 80% of China’s mobile users are at risk due to the prevalence of rooted phones in the marketplace.

However, the RAT appears to target specific Android users because targets are selected based on mobile devices’ unique international mobile equipment identity (IMEI) codes, based on samples analysed in the first half of 2016.

Although the RAT seems to be designed to work only on rooted devices, the researchers said if a targeted device is not rooted, previous Bitdefender research has shown that some malicious Android applications include the capability of rooting Android devices, regardless of the version of the operating system they are running.

Other security researchers have also revealed that some malware can even pack up to 18 different Android rooting modules to gain full control over the device. However, in that particular instance, the Trojan was used to generate revenue only by downloading and installing apps on victims’ devices, not to install surveillance tools.

Consequently, it is not difficult to envision a scenario in which a device can be stealthily rooted and then remotely controlled with a RAT, the researchers said.

The fact that the malware uses specific IMEI codes to select victims, they said, indicates that it is possibly part of a wider attack that is yet to be uncovered. This is because this type of selectivity is typically associated with advanced persistent threat (APT) operations.

Read more about mobile security

  • Nearly one-third of Android devices in enterprises today are running version 4.0 or older of the operating system, leaving them highly susceptible to vulnerabilities, a study shows.
  • Experts told the CW500 Security Club how mobility brings new challenges to security departments and an opportunity to go beyond building walls around the enterprise.
  • For all the benefits of Supporting mobility in the enterprise, it has also introduced one of the biggest challenges for IT pros today: safeguarding the flow of confidential data.
  • Traditional security does not always work for mobile as mobile operating systems are different to those on PCs, says MobileIron’s Mike Raggo.

Bitdefender said the RAT has been distributed under two package names, “it.cyprus.client” and “it.assistenzaumts.update”, which both have the same functionality with zero impact on the target device.

To safeguard against threats such as these, the Bitdefender researchers said it is imperative that mobile devices always have a suitable mobile security system in place to prevent malicious packages from installing.

Users should also make sure they only download verified apps from official marketplaces, they said.

Unofficial sources of Android apps are the biggest potential sources of malware, which could potentially compromise corporate networks and data where employee-owned devices are used also used for business.  

Businesses must ensure mobile security controls are deployed and enforced on every device used to access corporate data and apps, according to MobileIron’s latest mobile security and risk review.

Enterprises continue to fall short when it comes to protecting corporate data on mobile apps and devices, the report said, with only 8% of companies enforcing operating system updates and less than 5% using app reputation or mobile threat detection software.

Read more on Endpoint security

Data Center
Data Management