Security researchers at South Korean cybersecurity firm ESTsecurity have discovered a new strain of Android Trojan KevDroid that is being distributed disguised as a fake anti-virus application, dubbed “Naver Defender.”
“Spear phishing attacks targeting Android mobile devices have recently emerged. Portal site Naver sends emails related to personal information leakage prevention to induce malicious apps to be installed.” reads the analysis published by ESTsecurity.
“This malicious app impersonates Naver with the Naver logo and the app name “Naver Defender” and takes away sensitive information such as address book, call log, and text messages.”
KevDroid is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices and spy on its owners by recording phone calls.
After the initial discovery made by cybersecurity firm ESTsecurity, experts at Talos published a detailed analysis of two variants of RAT detected in the wild.
“Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls.” reads the analysis published by Talos.
One of the variants exploits a known Android exploit (CVE-2015-3636) to get root access on the compromised device, this variant was dubbed KevDroid. Both variants sent data to the same command and control (C2) server through an HTTP POST.
Talos experts explained that the malicious code implemented the feature to record calls based on an open-source project available on GitHub.
The investigation about the infection vector revealed that attackers used a RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object.
The bait document used by hackers is written in Korean and contains information on Bitcoin and China.
The second RAT is targeting Windows systems it specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). This malware uses the PubNub API in order to publish orders to the compromised systems, expert dubbed it “PubNubRAT.”
The most recent variant of KevDroid malware, detected a few weeks ago, implements the following capabilities:
South Korean media associated the KevDroid RAT with North Korea APT Group 123.