Security firm ESET has discovered a crafty Android ‘backdoor’ remote access Trojan (RAT) passing itself off as a variety of apps, including the firm’s own Mobile Security software.
What the app, ‘Krysanec’, was trying to do is pretty straightforward – fool users into downloading it on the assumption that it was what it said it was. The Android apps the malware impersonated included the mobile banking app of Russia’s Sberbank, a data usage app called 3G Traffic Guard, and ESET’s security app.
The good news is that the app was found on non-approved Russian app stores rather than Google’s official Play Store and so represents a trifling risk to anyone beyond that territory for now.
More interestingly, the malware’s dirty work is done by the off-the-shelf Java-based Unrecom RAT, which migrated from the PC world to Android some time last year. Abilities include taking photos, recording audio, noting GPS location, plus mining a variety of other data from the affected smartphone.
It’s a strange tool to use to target Android users because it doesn’t do the one thing that Russian malware usually does, namely set up toll fraud. As the RAT’s control panel makes apparent, its intention is remote monitoring and data theft. Krysanec is more like a spying tool than a mechanism of straightforward commercial criminality which suggests it might be closer to household spyware than a fearsome threat.
Another interesting element of the malware is that some samples have been using command & control hosted by US-based No-ip.com (Vitalwerks,), recently involved in a legal tussle with Microsoft after the software giant seized control of some of its domains.
ESET’s simple commandment is not to download Android software from anywhere other than the Google Play store, although the overwhelming majority of users don’t do that anyway. The more subtle message is that, once again, Android is becoming the domain of tools that were once troblesome only for Windows users.