McAfee Labs

Android App SandroRAT Targets Polish Banking Users via Phishing Email

1
By on Aug 02, 2014

Europe is currently under attack by spammers trying to get control of Android devices. In Germany the distribution method is via SMS (text) messages, as you can read in this recent McAfee Labs post, while in Poland there is an ongoing email spam campaign distributing a new variant of an Android remote access tool (RAT).

Recently McAfee Labs received a new mobile malware sample from a customer in Poland with the name Kaspersky_Mobile_Security.apk. It arrives as an attachment with the following phishing message:

CASTILLO_SandroRATSpam

Source: Zaufana Trzecia Strona

The email tries to scare a user with the following subject:

“Uwaga! Wykryto szkodliwe oprogramowanie w Twoim telefonie!”
(“Caution! Detected malware on your phone!”)

The body of the message states that the bank is providing the attached free mobile security application to detect malware that steals SMS codes (mTANs) for authorizing electronic transactions. However, the attached application is in fact a version of the Android RAT SandroRat, which was announced at the end of the last year in the Hacking Community HackForums. The RAT and its source code are for sale, making it accessible to everyone to create a custom version of this threat.

Just as any other Android RAT (such as AndroRAT), the malware can remotely execute several commands to perform any of the following actions:

  • Steal sensitive personal information such as contact list, SMS messages (inbox, outbox, and sent), call logs (incoming, outgoing, and missed calls), browser history (title, link, date), bookmarks and GPS location (latitude and longitude).
  • Intercept incoming calls and record those in a WAV file on the SD card to later leak the file.
  • Update itself (or install additional malware) by downloading and prompting the user to install the file update.apk.
  • Intercept, block, and steal incoming SMS messages.
  • Send MMS messages with parameters (phone number and text) provided by the control server.
  • Insert and delete SMS messages and contacts.
  • Record surrounding sound and store it in an adaptive multi-rate file on the SD card to later send to a remote server.
  • Open the dialer with a number provided by the attacker or execute USSD codes.
  • Display Toast (pop-up) messages on the infected device.

A novel functionality of this threat is its ability to access the encrypted Whatsapp chats (available in the path /WhatsApp/Databases/msgstore.db.crypt5 on the SD card) and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file waddb.sr:

CASTILLO_DecryptWhatsapp

This decryption routine will not work with Whatsapp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt). Whatsapp users should update the app to the latest version.

Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware, which can steal personal information or even obtain complete control of a device with a tools like SandroRAT. This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks.

McAfee Mobile Security detects this Android threat and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

One Comment on “Android App SandroRAT Targets Polish Banking Users via Phishing Email

  • Mohammed

    This can be very targeted Fraud attack… as two-way factor authentication (SMS confirmation) has played a good role against Fraud attacks.

    I believe it’s time to focus on developing solutions that would protect mobile user from such malware.

    The real issue is that users are just "accepting" the new app permissions requested without proper awareness.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>