AndroSpy was open-sourced on GitHub in August 2020, and its first attack in the wild was in November 2020. Several months after it was open-sourced, it has been used by several attack groups, and we predict that more attackers will adopt this RAT in the Future.
Overview
Cracked and open-source RATs have historically been among the most popular tools in underground hacking forums, including Android RATs. In 2019, the security company Recorded Future analyzed the 3.9 million posts published by all the underground hacking media it indexed and found that: the underground hacking forums using Chinese and English are more concerned about Android devices, of which the top ten Chinese underground hacking forums The malware includes three cracked and open-source Android RATs: SpyNote, AhMyth, and DroidJack; while English-language underground hacking media have two of these three: SpyNote and DroidJack.
In March 2021, the mobile security team of Qi’anxin Virus Response Center found that an attack group used a new Android RAT in the daily threat analysis operation. It can easily control the controlled mobile phone and steal sensitive information from the excellent mobile phone through the control terminal. To prevent the further spread of the threat, Qi Anxin Virus Response Center analyzes and discloses it in detail to remind all security vendors to pay attention to related attack events at the first time.
Technical analysis
(1) Malicious functions
AndroSpy RAT has a powerful remote control function. Through the control terminal interface operation, it can locate the victim user, record and record the screen, steal the address book and SMS information, etc. After the application is started, it will establish a connection with the remote control server in the background and can perform corresponding remote control operations according to the instructions issued by the server.
(2) sample analysis
After decompressing the APK, you can see multiple DLL files in the assemblies directory. Still, the DLL files here have been encrypting, so the ILSpy tool cannot directly be use for decompilation analysis.
By analyzing the mono code, we know that all DLL files need to load and mapped to memory through “mono_image_open_from_data_internal,” so the decrypted DLL files can obtain through the dump operation here.
Looking at the MainActivity.java code, you can see that it registered in Task2.MainActivity of C#.
Use ILSpy to decompile the DLL to find Task2.MainActivity. After analysis, it found that its function is to realize the hidden icon, set the WiFi not to disconnect the network when the mobile phone sleeps, and start the ForegroundService service after the execution is completed.
ForegroundService onCreate initializes system configuration by reading resource files, creating related files, and starting Task. Alarm.
After Task. Alarm receives the corresponding action because mySocketConnected false default, Task2.ForegroundService.Baglanti_Kur is execute.
Baglanti_Kur communicates with the server, waits for control instructions, and uses Task2.ForegroundService.info Adl to receive the instruction data sent by the server.
After receiving the command data from the server, use InfoAll.UnPacker to decode the command and call Soketimizdan_Gelen_Veriler to execute the corresponding command operation.
Summary
In recent years cracked versions, and open-source mobile RATs are popular with ordinary attackers. And commonly used in advanced mobile threat attacks. When we tracked advanced mobile threat attacks. We found that most mobile APT organizations mainly use cracked versions. And open-source mobile RATs, which can reduce attack costs. For ordinary users how to avoid being attack on the mobile terminal. The mobile security team of Qi Anxin Threat Intelligence Center provides the following protection suggestions:
(1) Update the system in time and download the application in the regular application store. Domestic users can download it in the app store that comes with the mobile phone. And foreign users can download it on Google Play. Don’t install apps from untrusted sources, and don’t click on unknown URLs. Or scan QR codes with unknown security.
(2) Mobile devices should update in a timely manner in a trusted network environment. And do not easily use an untrusted network environment.
(3) Be especially cautious about applications that request permissions for application installation and activation of device managers. Generally speaking, ordinary applications will not request these permissions, especially device managers. Normal applications do not have this requirement.
