AndroRAT exposes fragmented Android ecosystem vulnerabilities

News by Davey Winder

A new version of a familiar menace, AndroRAT, has emerged from out of the trash to exploit long forgotten vulnerabilities.

A new version of a familiar menace, AndroRAT, has emerged from out of the trash to exploit long forgotten vulnerabilities. First seen back in 2012, AndroRAT is as the name suggests; a Remote Access Trojan that targets the Android ecosystem. Researchers at Trend Micro have revealed that this new variant is exploiting a publicly disclosed vulnerability that enables the permanent rooting of susceptible Android phones. 

AndroRAT has been seen disguised as a malicious data tidying app by the name of TrashCleaner. Not to be found in the official Google Play Store, this would need to be downloaded and installed from an unofficial store link. That should be enough alone to mitigate the threat to secure-thinking users. If not, the fact that upon execution it prompts for a secondary installation of a system calculator application which actually activates the AndroRAT malware would do it, you might think.

You might also think that the fact this targets a critical vulnerability listed as CVE-2015-1805, which was first noticed in the Linux kernel in 2014 and eventually fixed in the Android branch by a Google patch in March 2016, would make mitigation a done deal. That assumption doesn't allow for the fragmented nature of the Android ecosystem, with devices still being used that have not and often cannot be patched. 

The Trend Micro research states "We disclosed our findings to Google and worked with them on further analyzing the apps that carried the new AndroRAT variant. Google said that the above mentioned apps were never on Google Play, and that they already incorporated detection for CVE-2015-1805 into their compatibility tests. Ideally, any device launched or updated after April 2016 will not be vulnerable."

However, given the aforementioned fragmentation regarding the Android security ecosystem, this doesn't mean it's a done deal regarding devices still being used by staff within and outwith the enterprise. So how should enterprises be mitigating against the risks posed by AndroRAT, and other vulnerabilities, from user devices that cannot be patched? 

Daniel Padon, Mobile Security Researcher with Check Point, is all too familiar with the issue of patching Android devices. Back in 2016 when the Quadrooter chipset vulnerabilities were discovered, Check Point scanned half a million devices for the patch and found 63 percent of devices still had at least one QuadRooter vulnerability. "The first line of defense against malware like AndroRAT should be patching all devices to the most recent version available" Padon insists "and replacing archaic, unpatchable devices, just as an organization should do with other archaic hardware in its network."

The use of old devices such as these is known as 'technical debt' and something that Ed Williams, EMEA Director of SpiderLabs at Trustwave, is concerned about. "With security boundaries becoming ever more blurred, technical debt is a considerable problem for all enterprises" Williams said in conversation with SC media "this is also the type of thing that keeps me awake at night and no doubt keeps many a CISO awake too." 

To ensure the castle doesn't crumble around them, enterprises should be to ensure such devices are treated as untrusted and prevent them from accessing equally untrusted content to mitigate the infection risk, Williams advises. Liviu Arsene, Senior e-Threat Analyst at Bitdefender, agrees and told SC Media UK that "enterprises might want to enforce security policies that prevent users from installing unsanctioned apps, thus limiting potential threat exposure." It was an unsurprisingly common thread in the conversations we had around this topic. "End-of-life products that do not receive patches, should be obsolete and should be upgraded" said Hein Alberts, Security Researcher at SecureData and "devices that are still in lifecycle should be updated to the latest patch release." 

It's not rocket science, but it does still catch many organisations out. So the good news is that all this could soon be a problem of the past. "By separating several components of the system using a close-to-hardware API known as Project Treble" John Kozyrakis, Applied Research Lead at Synopsys, told SC Media UK "Google will be able to push updates directly to users for most parts of the operating system, instead of relying on a big chain of intermediaries." Devices running Android 8 onwards will make use of this system...

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews