AndroRAT Exploits Old Root Access Vulnerability

What Is It?

Researchers recently released analysis of a new variant of AndroRAT, a remote access trojan (RAT) for Android devices.

Of note, this variant exploits the CVE-2015-1805 vulnerability in order to gain root access to the device to allow it to perform privileged actions. This vulnerability was patched by Google in March 2016, however devices running older versions of Android which no longer receive patches leave a large number of users potentially exposed. This user base could include those making use of a corporate bring your own device (BYOD) program which could provide attackers with sensitive information or other information which could be used to socially engineer an infected user or other employees.

This AndroRAT variant’s capabilities include, key logging, recording audio and calls, taking photos and stealing various data – WiFi passwords, call logs, GPS location, contacts, files, SMS messages, calendar events, screenshots and web browsing history. It can also be used to upload files to the device.

How Does It Propagate?

AndroRAT does not self-propagate.The malware is contained in a malicious app on third party app stores and users are enticed to download it based on its apparent usefulness. Google have confirmed this app was never present in the official Google Play store and that detection for CVE-2015-1805 was already part of their compatibility tests. This reinforces the dangers posed to users by third party app stores.

When/How Did BluVector Detect It?

BluVector’s patented Machine Learning Engine (MLE) detects this malware. Regression testing on four samples has shown the malware would have been detected by BluVector 30, 27 and 7 months prior to its release. Note: BluVector would only detect the malware if the mobile device was connected to a corporate network monitored by a BluVector appliance.

All Threat Reports