Italian malware is spying on Chinese Android users: But why?

Researchers at Bitdefender are warning that a data-stealing Trojan poses a threat to the vast majority of Android users in China.
Written by Danny Palmer, Senior Writer

The Trojan has the capability to hijack Android devices.

Image: iStock

An Android remote access Trojan (RAT), suspected of being Italian in origin, is spying on users in China and Japan and uploading audio and images to a remote command and control server.

Discovered by cybersecurity researchers at Bitdefender, the RAT specifically targets rooted Android devices based on their IMEI (International Mobile Station Equipment Identity) and has the ability to take screenshots, listen to phone calls, and potentially even take full control of the device -- putting the user at risk of becoming a victim of hacking and fraud.

Researchers note that it's only usually advanced persistent threats which tend to exhibit this type of selectivity when selecting which victims to infect, suggesting that this Android RAT could be part of a wider campaign of attack which is yet to be uncovered.

Add to that the fact that the RAT specifically targets rooted devices -- the Android equivalent of jail breaking or unlocking the system so the user can install unapproved apps -- then it poses a significant threat to the China region as figures suggest 80 percent of Chinese Android users root their smartphone.

While the RAT's full cyber espionage capabilities only work on rooted devices, the malware can also run basic capabilities such as device identification on non-rooted devices.

The research by Bitdefender appears to point to the Trojan being linked to Italian hackers, because not only are strings of code in it written in Italian, but the RAT connects back to command and control servers in Italy. However, the exact identity of those behind it remains unclear -- as does the reason for the malware targeting users in China.

The Android RAT is known to have been disturbed under two package names - 'it.cyprus.client' and 'it.assistenzaumts.update' -- but the result is the same in both cases, enabling full spying capabilities on the infected device.

Neither of the samples were found in the Google Play store, suggesting that infected victims are downloading applications from unsecured third-party application providers.

Each variant of the malware installation package was mostly spotted in China, although Japanese users have also fallen victim to the Trojan. Researchers also found traces of Android users in the Netherlands being infected by the RAT.

According to Bitdefender, the best way for users to defend against infection from this malware is to only download verified apps from official marketplaces and to ensure that their mobile device has security software installed in order to root out potential threats.

The combination of China's large population and the popularity of Android in the country means that it's widely suspected the vast majority of Android malware victims are in the region. The recently discovered HummingBad malware, for example, has infected 85 million Android users across the globe, with most victims in China and India.

But it isn't just Android smartphone users who need to worry about the risk of being hacked: malware and ransomware are increasing on iOS devices too.


Editorial standards