Bitdefender researchers Alin Barbatei and Marius Mihai Tivadar have discovered a new Android Remote Access Trojan (RAT) in China and Japan. The RAT is able to spy on mobile devices by taking screenshots and listening to phone calls. The data is then saved to Command & Control (C&C) servers located in Italy.
To install the spyware, the attack requires that the target device has previously been rooted. This means that it is possible to gain complete control over the entire device, bypassing the user controls built into the OS. While there are many reasons why a user will do this it also makes life easier for hackers. China Internet Watch has reported 80% of Android devices in China have been rooted.
What makes this of interest?
It is the Italian connection that makes this interesting. It selects its victims based on their International Mobile Station Equipment Identifier (IMEI). This is a unique identifier that every mobile device will have. The use of specific IMEI numbers makes this a very targeted attack. This suggests several possible targets.
Is this criminals tracking tourists that have recently visited Italy? Could it be one criminal gang spying on another? Is this a government operation that Bitdefender has stumbled upon? If so, which government? Europe is a hotbed of companies who develop spyware for governments and law enforcement. It is possible this attack is part of a campaign conducted by an Italian company on behalf of another government.
This could also be part of a much darker threat. The researchers say: “Since only advanced persistent threats (APT) normally exhibit this type of selectivity when infecting victims, this Android RAT could be part of a wider attack that is yet to be uncovered.” The Android RAT has been distributed under two package names “it.cyprus.client” and “it.assistenzaumts.update”. Despite the names there is no apparently difference in the functionality.
The discovery of yet another Android RAT should come as no surprise. The number of Android devices in use makes it an ideal choice for attackers. There is also an increasing number of Android devices that are never updated. This makes it much easier for hackers to attack them.
Is this just another cyberattack or is it something much more mysterious? We will have to wait a little longer to find out.