The Stuxnet of Mobile Malware (for Android)


At the end of August Lookout announced the detection of a new strain of malware dubbed "xRAT" that represents the absolute state-of-the-art in mobile malware. Below we'll discuss the implications of this malware, but if you want all the technical details we suggest you head over to Lookout's Analysis.

First, xRAT, as the name suggests, is a "RAT", or Remote Access Tool. Some may also refer to this as a Remotely Activated Trojan. In either case, what we're referring to is the capability to gain access to smartphones remotely over the Internet, without having any physical access to devices.

Even worse, many RATs, including xRAT, are designed to be bundled inside an otherwise innocent looking application. Let's illustrate below:


The process that is depicted above is called repackaging, and it's important to understand that in most cases it's possible to repackage an application so that end users are unable to tell the difference. This is, in fact, the goal of the attacker, as they want users to be fooled into installing a malicious version of an application that they believe to be safe.

So what are the implications for your organization?

There are two key takeaways that we'd like to discuss with regards to xRAT:

#1 That repacking is a straightforward process and that any android application your organization has could be susceptible to this type of attack.

Information and tools describing exactly how to repackage applications are freely available on the Internet, making this type of attack vector something your organization needs to be both aware of and testing for.

#2 The level of sophistication is so high that the application can effectively exfiltrate nearly any information from a target device, and it can cover its tracks extremely well (such as automatically removing itself if it detects that a malware scanner is installed).

Some of the capabilities include: running a suicide function to avoid detection, running remote commands on a device, forwarding network traffic, swapping the connected wifi network, exploring the contents of data packets, and looking at all browser history, text messages, emails and passwords.

It reminds us of the type of capabilities that the world saw with Stuxnet, which was a nation-state developed attack on nuclear power plants. Perhaps xRAT is even more insidious because the attack is on personal or corporate devices where there is a large amount of sensitive data that could trigger a full-scale breach.

So what can you do?

Detecting xRAT can be a tough problem that has two different avenues you need to consider.

The first avenue is detecting if your employees install any applications that include the xRAT trojan. This can be accomplished via a malware detection application resident on the device, or via a cloud-based application analysis engine. The former provides a removal mechanism as it can typically take action to remove malware from a device, however it requires installing an anti-malware app across your entire user base. The latter can't disable an app, however its an easy-to-implement approach that has a fast turnaround and doesn't involve pushing out applications.

The second avenue is detecting if any of your corporate owned applications have been repacked in the wild, and this may be the more important one. In this case, traditional malware tools or device-side apps can't help. What's required is continuous monitoring across the many application marketplaces to ensure your app hasn't been repacked and distributed. In this case you want to protect unsuspecting users from installing a rogue version of your app that may compromise their device.

Whatever approach you decide on, we encourage you to consider this attack vector in security planning discussions.

Lastly, our RECON Platform is designed to identify and mitigate threats like xRAT. Check it out live in our Threat Center.