A New Android ‘RAT’ Appears – Serious Banking Threat Could Be On The Horizon According To Researchers

Ramish Zafar
Posted Jul 4, 2014
21Shares
Share Tweet Submit

A new ‘RAT’ or a Remote Access Tool has been discovered running on the Android platform. While RATs are common on the open source software, this one has serious damage wrecking potential. Security experts at Fireeye have discovered a new remote access tool running on the popular operating system. According to the experts, this tool has the potential to wreak great havoc. Malwares on the Android OS generally run in the background and are controlled by a Remote Access Tool, namely RAT. This particular RAT pretends to be a ‘Google Class Framework’ and automatically kills the antivirus software on the device.

Structure Of HijackRAT Malware

HijackRAT Malware Combines Several Malicious Tasks Into One Package. Framework To Carry Out Bank Hijacking Also Discovered

The HijackRAT discovered by experts combines several malicious tasks into one package. These include executing privacy leakages, stealing banking credentials and having a remote access to your data/device. In addition, experts have discovered a more worrying problems. A framework was found which is designed for bank hijackings. Starting from South Korea, currently eight banks are on the attacker’s list. But the hacker has the potential to expand to new banks with just 30 minutes of work. Both the developer of the malware and its victims are Korean speakers. Even more worryingly, this malware has an extremely low detection rate. Only 5 out of 54 antivirus programs were able to detect the malware. This is primarily due to its ability to change its command and control servers.

Virus detection of malware sample.

The package name of the HijackRAT is ”com.ll”. It disguises itself as a google services framework. A few minutes after installation, the google services framework icon appears on the home screen. When tapped on, the malware asks for administrative privileges. Once these are granted, the uninstallation option for the malware is disabled and a new service called GS starts. The malware can only be removed by deactivating its administrative privileges in Settings. service

Background Service of Malware

Thats all for now folks. For more information on the HijackRAT, you can read the full report by the mobile security researchers at fireeye over here.

Share Tweet Submit