A new combination of two older types of malware, which provides hackers with access to almost everything a user does on an Android smartphone, is up for sale on underground forums for as little as $29.99 – providing even low-level cyber criminals with the ability to steal sensitive personal data.
The ‘Rogue’ remote administration tool (RAT) infects victims with a keylogger, allowing attackers to easily monitor the use of websites and apps in order to steal usernames and passwords, as well as financial data. The low cost of the malware reflects the increasing sophistication of the criminal ecosystem that is making it possible for wannabe crooks with limited technical skills to acquire the tools to stage attacks.
The malware threatens full-scale espionage on the device by monitoring the GPS location of the target, taking screenshots, using the camera to take pictures, secretly recording audio from calls and more. It does all this while staying completely hidden from victims – and all attackers need is their own smartphone in order to issue commands.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Rogue has been detailed by cybersecurity researchers at Check Point, who say it isn’t a fully new form of malware, but rather a combination of two previous families of Android RATs – Cosmos and Hawkshaw – and demonstrates the evolution of malware development on the dark web.
There’s no single way in which hackers install Rogue because part of the way it works is they get to choose the method of infection, either by phishing, malicious apps or something else.
After being downloaded onto a smartphone, Rogue asks for the permissions that it needs for the hacker to remotely access the device – although the download obviously doesn’t mention that this is the reason why they’re needed. If the permissions are not granted, it will repeatedly ask the user to grant them until they do.
Once the permissions have been gained, Rogue registers itself as the device administrator and hides its icon from the home screen. If the user tries to revoke these administrator credentials, a message asks “Are you sure to wipe all the data?”, something that could scare many people off attempting to remove the installation, fearing they’ll wipe their entire device.
The malware gets around being detected as malicious by exploiting Google’s Firebase service for apps in order to masquerade as a legitimate app on the device and help it remain embedded and active.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
Once successfully embedded on a device, the malware installs its own notification service, allowing the malicious operator to examine what notification and pop-up the victim receives, enabling them opportunities to examine what data is available on the device.
One of the best ways for users to avoid falling victim to mobile malware is to install security updates, something that prevents cyber criminals from exploiting known vulnerabilities to help deliver malware. In addition to this, users should be wary of apps that appear to ask for an excessive number of permissions to run on the device and should ideally only download apps with a trusted source of origin from the official app store.
