A new variant of the Android Remote Access Tool (AndroRAT) is exploiting a vulnerability to escalate privileges on unpatched Android devices.
The malware disguises itself as a utility app called “TrashCleaner” and waits for users to download it from a malicious URL. Upon running for the first time, the malicious app forces the device to install what looks to be a Chinese-labeled calculator app. In the meantime, TrashCleaner’s icon disappears and AndroRAT abuses CVE-2015-1805, a denial-of-service (DoS) and privilege escalation vulnerability.
Trend Micro’s Mobile Threat Response Team explains how the threat interacts with this security flaw:
The configurable RAT service is controlled by a remote server, which could mean that commands may be issued to trigger different actions. The variant activates the embedded root exploit when executing privileged actions.
At that point, the new iteration can perform all the functions of the original AndroRAT, which include recording audio, taking photos using the device camera, and stealing call logs. It can also perform a host of new activities not accessible to its progenitor such as recording calls, uploading files to the device, and deleting/creating SMS text messages.
Google patched CVE-2015-1805 in 2016, but older devices or those that receive security updates well after their official release might still be vulnerable. With that said, Android users should take care to install applications only from trusted developers on Google’s Play Store. They should never install applications from unfamiliar websites. Additionally, they should install an anti-virus solution onto their phones and do everything they possibly can to keep their software and apps up-to-date.
At the same time, users should think twice before releasing any research projects to the public. AndroRAT started as a remote administration tool that a team of four created for a university project. That’s not unlike Hidden Tear, a proof-of-concept ransomware created by a programmer for research purposes. Both platforms made their way to GitHub, allowing digital attackers to abuse them for nefarious purposes.
It’s important for security researchers to familiarize themselves with RATs and ransomware. But they can do so in research labs that don’t in any way make their projects available to the public on the web. For the security of users everywhere, that’s how it should be.