Android RAT Krysanec Masquerades as Legit Apps

Written by

Camouflage and exfiltration: a good combination of the two augurs well for malware variants. To that end, a new Android remote access Trojan (RAT) has been discovered that makes good use of a proven gambit: it masquerades as one of several legitimate Android applications.

Dubbed Krysanec, the RAT has the ability to enable backdoor access to take photos, record audio, view current GPS locations and see SMS or WhatsApp messages.

“One of the most common infection vectors for Android malware is to disguise itself as a popular legitimate app – from various games to other more or less useful pieces of software,” explained Robert Lipovsky, a researcher at ESET, in a blog. “Quite often, the legitimate functionality is present, but with a malicious aftermarket addition – the very essence of a trojan horse. And quite often, the application purports to be a cracked version of a popular paid application – so the danger is greater on less-than-trustworthy app stores and forums – but this is certainly not an indisputable rule.”

In this case, Krysanec is a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including, deviously, the ESET Mobile Security app. The malware was found to be distributed through several channels, including a typical file-sharing site or a Russian social network. Also, ESET found that some of the samples were connected to a C&C server hosted on a domain belonging to the dynamic DNS provider No-IP, which made headlines when Microsoft’s Digital Crimes Unit mounted a takedown of it for hosting malware—which it was subsequently forced to reverse.

Nathan Collier, senior malware intelligence analyst at Malwarebytes Labs, www.malwarebytes.org told Infosecurity that the Trojan’s reboot of normal software is representative of a disturbing technical reality.

“It’s a relatively straightforward job for someone with coding experience to decompile an existing Android app, insert malicious capabilities and re-build it as new,” he said. “The tools to make this possible can be found by anyone with a good working knowledge of a search engine. A lot of the Android RATs used also utilize existing pre-built toolkits, making it relatively straightforward.”

Lipovsky noted that the Android app ecosystem offers a reliable countermeasure against such unwarranted and malicious modifications, by digitally signing applications with the actual developers’ certificates. The Krysanec variants did not contain valid certificates, but users rarely carefully examine the applications they install on their smartphones, especially those who search for apps from stores other than Google Play.

“While remote-access-tools for Android are less common than their Windows desktop counterparts, the main message here is to stress that users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store,” he said. “And even there, exercise caution by carefully examining the permissions requested by the app.”

And so, as with many malware examples, the human factor has a crucial part to play in preventing its spread. “In terms of the threat to consumers, it is the age-old security industry problem of awareness,” Collier said. “More people need to be made aware that their smartphone is potentially vulnerable to this kind of scam. If they don’t already have an anti-malware scanner on their phone, now would be the time to get one.”

What’s hot on Infosecurity Magazine?