Discovered by cybersecurity researchers at Bitdefender, the RAT specifically targets rooted Android devices based on their IMEI (International Mobile Station Equipment Identity) and has the ability to take screenshots, listen to phone calls, and potentially even take full control of the device -- putting the user at risk of becoming a victim of hacking and fraud.
Researchers note that it's only usually advanced persistent threats which tend to exhibit this type of selectivity when selecting which victims to infect, suggesting that this Android RAT could be part of a wider campaign of attack which is yet to be uncovered.
While the RAT's full cyber espionage capabilities only work on rooted devices, the malware can also run basic capabilities such as device identification on non-rooted devices.
The research by Bitdefender appears to point to the Trojan being linked to Italian hackers, because not only are strings of code in it written in Italian, but the RAT connects back to command and control servers in Italy. However, the exact identity of those behind it remains unclear -- as does the reason for the malware targeting users in China.
The Android RAT is known to have been disturbed under two package names - 'it.cyprus.client' and 'it.assistenzaumts.update' -- but the result is the same in both cases, enabling full spying capabilities on the infected device.
Neither of the samples were found in the Google Play store, suggesting that infected victims are downloading applications from unsecured third-party application providers.
Each variant of the malware installation package was mostly spotted in China, although Japanese users have also fallen victim to the Trojan. Researchers also found traces of Android users in the Netherlands being infected by the RAT.
According to Bitdefender, the best way for users to defend against infection from this malware is to only download verified apps from official marketplaces and to ensure that their mobile device has security software installed in order to root out potential threats.
The combination of China's large population and the popularity of Android in the country means that it's widely suspected the vast majority of Android malware victims are in the region. The recently discovered HummingBad malware, for example, has infected 85 million Android users across the globe, with most victims in China and India.