SecurityBrief Asia logo
Story image

Malware vendors look to marketing to spread Android RAT

20 Jan 2021

What happens when an Android malware vendor teams up with a marketer? It turns out the answer is quite a lot, especially when they are trying to rebrand their products to make more money from the criminal underground.

Check Point recently published research into the malware vendor who goes by the name Triangulum. This person initially came to the criminal underground market with a partner called HeXaGoN Dev, and together they jointly created Cosmos, a remote access trojan (RAT) that targets Android systems. It is able to read and write SMS, access call logs, take screenshots, and log keystrokes. It is, at times, also able to delete the entire operating system.

With a bit of creative marketing, the partners branched out from Cosmos to offer a product called DarkShades, which adds audio recording and camera takeover capabilities. 

The latest product is called Rogue, which builds on DarkShades with features like registering as a device administrator, registering as the default SMS app, and sending fake notifications.

Furthermore, the malware vendors co-opt Google Firebase so that their products look like a genuine Google service - but they are anything but genuine.

Furthermore, Android malware is a lucrative industry for criminals - research from Statista indicates that more than 85% of the estimated 3.5 billion devices worldwide run the Android operating system.

“Controlled access to official app stores such as Google Play do offer a measure of protection to users. This means that would-be attackers have to develop new and innovative mobile infection vectors, and use and refine new skills and techniques to bypass security protections and place malicious apps in official app stores,” Check Point researchers explain.

Check Point’s head of cyber research Yaniv Balmas says that malware vendors are becoming much more resourceful in the ‘crazy’ underground market.

“There’s a correlation between this "crazy" underground market, and the real-world. It`s very easy to twist things around and create "fake products". This naturally creates a lot of noise, and the problem is that it might confuse security vendors,” says Balmas. 

“While we have ways of detecting such things in the real world, the underground market is still like the wild-west in a sense, which makes it very hard to understand what is a real threat and what isn’t.”

Check Point recommends that people: 

  • Regularly update their device operating systems
  • Only install apps from official app stores, such as Google Play
  • Avoid using public wifi networks
  • Enable remote wipe capability on all devices
  • Use mobile cybersecurity software.