A recently discovered Mobile Remote Access Trojan (MRAT) can take control of the infected Android devices and exfiltrate a multitude of user data. Called Rogue, the Trojan is the work of Triangulum and HeXaGoN Dev, known Android malware authors that have been selling their malicious products on underground markets for several years.
Triangulum first shared a mobile RAT on a dark web forum in June 2017. The threat was capable of data exfiltration, but could also destroy data locally, and even erase the OS. “Rogue RAT, this deceptively simple bit of malicious code gives anyone who uses it the ability to record your calls, steal your passwords, read all of your messages (text or email), and more.” Even worse is the fact that the hackers behind the code are now selling it on the Dark Web for as little as $29.99 a copy. That’s not good, because it puts a surprisingly powerful hacking tool in the hands of anyone with thirty dollars whether they have any actual hacking skill or not.[1]
At the root, Rogue RAT is a keylogger, allowing a hacker to infect a target system and keep track, keystroke by keystroke, everything the user does on that system. Every time the user logs into his or her bank, or any other password-protected sites, the controllers of the malware wind up with that information. It gives them the keys to the target's virtual kingdom and allowing them to cause no end of trouble for an unwary or unobservant victim. Recent updates to Rogue RAT also allow it to monitor the GPS position of the target, activate the camera to take pictures, activate the mic to record phone calls or in-person conversations happening within proximity of the infected device, and more.
Complicating this security issue is that since it is widely available, there is no one preferred method of infection. That depends on the person who bought the malware. Although in practice, many use simple phishing techniques, attaching a poisoned file to an email and relying on social engineering techniques to tempt the recipient into opening the file. For the development of Rogue, the malware author apparently partnered with HexaGoN Dev, which specializes in the building of Android RATs. Previously, Triangulum purchased projects from NexaGoN Dev.
Once the RAT manages to compromise a device and gains all of the necessary permissions, the Rogue RAT hides its icon from the user, to ensure that it cannot be easily removed. The malware repeatedly asks for permissions until the user grants them. The malware also registers as a device administrator and threatens to erase all data if the user attempts to revoke its admin permissions, by displaying the following message on the screen: “Are you sure to wipe all the data?” To hide its malicious intentions, Rogue leverages Google’s Firebase platform, masquerading as a legitimate Google service. Firebase services serve as a command and control (C&C) server, meaning that all commands and data exfiltration is performed using Firebase’s infrastructure. Of the dozens of services provided by Google Firebase to application developers, Rogue uses “Cloud Messaging” to receive commands, “Realtime Database” to upload data, and “Cloud Firestore” to upload files.
The story of the Rogue malware is an example of how mobile devices can be manipulated. Similar to Triangulum, other threat actors are perfecting their craft and selling mobile malware across the dark Web. Beware Android Users !!!
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/3702558539639477516
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.zdnet.com/article/this-android-malware-claims-to-give-hackers-full-control-of-your-smartphone/
Comments