The first tools for injecting legitimate Android apps with open-source software that allows an attacker to control an infected smartphone remotely have been found in the criminal underground.
Symantec’s discovery is the latest example of a growing market in commoditised services from highly specialised suppliers, similar to what has been available for years to commandeer and profit from infected Windows PCs.
The new tool, called a binder, costs $37 and is linked to a free remote access tool (RAT) that is growing in popularity. Known as AndroRAT, the open-source software was first released in November 2012.
The binder simplifies the process of re-packaging a legitimate app with AndroRAT. Once the malware makes contact with the command and control (C&C) server, a criminal can use a customer-friendly control panel to monitor and make phone calls, send text messages, use the smartphone’s camera and microphone, access files and get the device’s GPS coordinates, Symantec said on Tuesday.
AndroRAT is packaged as an APK, which is the standard application format for Android. The AndroRAT-binder combo allows attackers with limited expertise to infect a legitimate app that’s more likely to get permission to access smartphone data and services.
“All we’re seeing right now is just a maturing evolution of a landscape that is allowing lesser technical people to come in and try their hand at some of this criminal activity themselves,” Vikram Thakur, principal manager at Symantec Security Response, said.
Symantec has counted nearly two-dozen popular apps carrying AndroRAT. To date, only several hundred phones have been infected, mostly in the U.S. and Turkey.
Symantec expects that number to rise as the sophistication of AndroRAT increases. “As time goes on there will be a lot more tools available, possibly some even cheaper, once the market gets flooded,” Thakur said.
As an example of how AndroRAT is spreading, a commercial, Java-based RAT known as Adwind is being modified to incorporate an Android module based on AndroRAT code, Symantec said.
Adwind also comes with a user-friendly interface. Because it is written in platform-agnostic Java, versions of the malware have been developed for other operating systems.
While having effective malware is important, a lot more has to happen before Android reaches Windows’ level of profitability as a platform for criminal activity.
