Krysanec RAT hides in fake Android apps

Anti-virus vendor ESET says that a new Android 'backdoor' Remote Access Trojan (RAT), Krysanec, has been masquerading as free and paid-for applications on third-party app stores.

'First Android ransomware' to target UK
'First Android ransomware' to target UK

In a new blog post on its We Live Security website, the security firm reveals that the RAT contains the Java-based Unrecom Remote Access Trojan (RAT) to offer backdoor access to take photos, record audio, view current GPS location and see SMS or WhatsApp messages, contact lists, opened webpages and installed applications.

Researchers say that the malware pretended to be the ESET Mobile Security application, as well as the data usage ‘3G Traffic Guard' app and the mobile banking app of Russia's Sberbank.

These rogue applications were distributed by several channels, including a file-sharing website and Russian social network, but did not appear on Google Play which – though sometimes criticised for letting through malicious app entries – is generally well-vetted by Google Bouncer. The storefront also requires developers to digitally sign their applications.

Interestingly, while this malware largely serves as an ability to snoop on users, rather than directly monetise from them, ESET says that some of the malware samples suggest that it connected to a command and control (C&C) server hosted by the US-based No-IP, which recently saw Microsoft take control of 22 of its domains in an effort to disrupt cyber-criminals working out of Algeria and Kuwait to infect millions of computers with malware.

“While remote-access-tools for Android are less common than their Windows desktop counterparts, the main message here is to stress that users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app,” concluded ESET's Robert Lipovsky.

Cameron Palan, senior mobile threat analyst at fellow security firm Webroot, added in an email to SC: “The Krysanec Trojan is an interesting piece of malware, but not anything particularly new. While not as common as similar malware seen on PCs, Remote Access Tools (RATs) for Android have been around for some time and are likely to continue infect applications in the coming future.

“Packaging malware inside legitimate apps is definitely a tactic we see authors utilise over and over again, as well.”

Nathan Collier, senior malware intelligence analyst at Malwarebytes, said that the attack is 'relatively straightforward', but that it continues to work given the 'age-old security industry problem of awareness'.

“It's a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious  capabilities, and re-build it as new," Collier told SC. "The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATS used also utilise existing pre-built toolkits.

“In terms of the threat to consumers, it is the age-old security industry problem of awareness. More people need to be made aware that their smartphone is potentially vulnerable to this kind of scam. If they don't already have an anti-malware scanner on their phone, then I would argue now would be the time to get one.”