According to the threat researcher Rodrigo Bijou (@rodrigobijou), Iranian malware authors are focusing their efforts on mobile RATs, in particular, malicious codes designed to compromise Android devices.
The security experts confirmed that Iranian VXers have made Android a priority for their malware-based attacks, they are in fact preferring AndroRAT and DroidJack over other popular remote access trojans like DarkComet and njRAT. Both Android RATs could be easily hidden in “legitimate-looking apps” to trick victims into installing it on their devices.
“The two RATs in particular, AndroRAT and DroidJack, are likely popular among hacking forum members due to the same reasons as njRAT – open access to download or purchase, strong community support, and ease of use.”
The researchers highlighted that threats like njRAT was widespread use for numerous criminal activities and Syrian surveillance campaigns, while XtremeRAT has been in campaigns against Israeli, Egyptian, and Saudi Arabian targets by multiple actors.
According to statistics provided by IDC, Android is the most popular mobile OS in the Middle East and Africa, where more than 80 percent of mobile devices run the Google OS. In this context, it is normal that threat actors targeting the Android users in the users in the area.
Android is the most popular mobile OS in the Middle East and Africa, where it runs on more than 80 percent of devices according to number crunchers at IDC. All variants of Android RATs implement a large number of features, to spy on victims and gain control over the device.
It is quite common observing the offer of Android RATs that have the ability to intercept SMS messages, call logs, browser history, contacts, and sensitive data including the user credentials.
Bijou have monitored underground crime forums in a six-month period discovering the propension on Android RATs.
“Looking at the last six months of activity on prominent Iranian hacking forums, discussions are dominated by interest in RATs that target Android devices,” states an interesting analysis published by Rodrigo Bijou on RecordedFuture. “The sustained Iranian interest in [the older] AndroRAT, despite its age and declining chatter from other sources, could be due to the easy download access, including GitHub repositories, and available community support for deploying the malware.”
The graphic representation provided in the analysis is eloquent, there is a small interest in njRAT (aka Bladabindi) and DarkComet, meanwhile several discussion were related to AndroRAT and DroidJack.
“Today, users can still find multiple for-purchase sites for both tools from basic search engines. Recorded Future research found samples available for open download across multiple hacking forums as recently as September 2015. Samples were also found on open download sites, including forked versions on GitHub.” states RecordedFuture.
Has explained in the analysis, despite DroidJack and AndroRAT represent a minority of total RAT activity, they are very popular due to the low level of technical skill needed and the existence of large communities in the principal hacking forums.
“With a low level of technical skill needed, open availability, and strong community support on hacker forums, DroidJack and AndroRAT are likely to remain popular choices for threat actors seeking to take advantage of Middle Eastern mobile systems.”
Bijou has no doubts, Android RATs will become even more popular among threat actors targeting users in the Middle East and Africa.
(Security Affairs – Android RATs, cybercrime)