Skip to content ↓ | Skip to navigation ↓

Researchers investigating a recent targeted attack against a financial company have discovered that the commercially available Windows-based spy software Win-Spy has been upgraded to include a component called GimmeRAT which is designed to be deploed against Android devices.

“While analyzing the windows payloads for WinSpy we discovered that it also had Android spying components, which we have dubbed GimmeRat. The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller,” the researchers stated.

“The Windows-based controller is simplistic and requires physical access to the device. The recent surge in Android-based RATs such as Dendroid and AndroRAT shows a spike in the interest of malicious actors to control mobile devices. GimmeRAT is another startling example of malicious actors venturing into the Android ecosystem.”

Although the WinSpy tool is marketed as a spying and monitoring tool intended to be employed by home users on their own systems, the remote administration capabilities the software is equipped with make it a perfect choice for attackers seeking to infiltrate a specific target or organization.

“This tool also adds another layer of anonymity for the attacker by using the default command-and-control server provided as part of the WinSpy package,” the researchers noted. “The controller has options to retrieve screenshots, keylogs, and various reports from the victim’s machine. It also has the ability to interact with file system to upload and download files as well as execute new payloads.”

The researchers discovered the Android components while investigating the Windows modules and found three unique applications, one which requires physical access to a device, and two others that “can be deployed in a client-server model and allow remote access through a second Android device.”

“It is also worthwhile to note that the two modules do not authenticate each other by any means therefore it allows anyone infected with GPSTracker.apk to be controlled just by sending SMS messages with a given structure,” the team said.

“These attacks and tools reaffirm that we live in an age of digital surveillance and intellectual property theft… We will continue to see more implementations of RATs and payloads to support multiple platforms and attackers will continue to take advantage of these new attack surfaces to infiltrate their targets.”

Read More Here…