A recently discovered mobile remote access Trojan includes extensive data collection capabilities and is associated with known mobile and Windows-targeting threats, Lookout security researchers warn.
Dubbed xRAT, the malware appears to have evolved from the high-profile Xsser / mRAT malware that made headlines in late 2014. The newly discovered mobile threat features code structure almost identical to that of the mRAT family of malware, uses the same decryption key and certain heuristics and naming conventions that suggest the same actor has developed both of them.
Furthermore, the command and control (C&C) servers for the new mobile threat are also linked to Windows malware, suggesting that an experienced crime group is operating it. Earlier this year, security researchers discovered a free and open source remote access tool (RAT) named QuasarRAT that has evolved from the xRAT Windows malware.
The xRAT mobile Trojan, the security researchers say, appears to specifically target political groups and includes capabilities ranging from reconnaissance and information gathering, to detection evasion, antivirus checks, and app and file deletion functionality. The malware also gathers data from communications apps like QQ and WeChat and allows its operators to remotely control much of its functionality in real time.
On Android devices, the malware can exfiltrate browser history, device metadata, text messages, contacts, call logs, QQ and WeChat data, Wi-Fi access point information, email database and username / passwords, geolocation, list of installed apps, and SIM card information.
It can also provide the remote attacker with a shell, can download/delete attacker specified files, enable airplane mode, list all files and directories on external storage or the content of specified directories, retrieve files of an attacker specified type, search external storage, upload files to C&C, make phone calls, record audio, executes commands as the root user, and can also download a trojanized version of QQ.
To avoid detection, xRAT includes a function to terminate itself and clean out its installation directory before uninstalling itself. The malware checks for specific antivirus applications, alerting the operators if they are present on a compromised device.
The threat also includes a robust file deletion module that can remove “large portions of a device or attacker-specified files,” including images from certain directories on the SDCard, audio files from certain directories on the SDCard, specific input method editors (IME), and messaging apps. It can also wipe a device by deleting all files from the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.
Most of the C&C servers used by xRAT in the past were based in China, while recent samples revealed attacker infrastructure in the United States as well. The infrastructure has Windows malware associated to it, including a malicious executable named MyExam, which Lookout says is an indication that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”