RATs or remote-administration tools are a perennial online pest.
Following last week's arrests of people who'd subscribed to the DroidJack RAT to spy on Android users, a security firm has now raised the alarm over another malicious subscription service.
This one is dubbed OmniRAT and is designed to target not just Android phones, but Windows, Mac and Linux PCs, according to Avast malware researcher Nikolaos Chrysaidos.
DroidJack's creator sold the RAT for $210. It was promoted as a "parental tool" to monitor children's Android devices, but some subscribers have used it for malicious purposes, leading to last week's arrests in Europe and the US.
OmniRAT is sold as a subscription on its own website and is relatively cheap, costing between $25 and $50 for a 'lifetime license' to target Android and desktop platforms.
Chrysaidos concluded that a variant of OmniRAT is being used to attack Android users after investigating the tale of a German Android user who reported being tricked in an SMS message into installing a malicious Android file.
Whoever is behind the campaign is using uncertainty over the recently-patched Android Stagefright vulnerability -- which could be exploited by receiving an MMS message -- to trick victims into installing the spyware.
According to Chrysaidos, the SMS said: "This MMS cannot be directly sent to you, due to the Android vulnerability Stagefright. Access the MMS within 3 days [Bitly link] with your telephone number and enter the PIN code [code]." Once the link is opened, a site loads where you are asked to enter the code from the SMS along with your phone number, he said.
Of course, Stagefright never prevented Android devices from receiving MMS messages. The general advice for Android users is not to install apps from outside Google Play.
After entering the phone number and code, an APK file, mms-einst8923, is downloaded onto the Android device. For whatever reason, the German user approved the installation despite Android flagging that the app requested privacy and device-access permissions.
Once installed, the app loads a message onto the phone saying that the MMS settings have been successfully modified and loads an icon, labeled MMS Retrieve onto the phone, explained Chrysaidos.
The impact for the victim is that they can now be remotely tracked and, in the German user's case, the data was sent to a server located in Russia.
Worse still, the attacker has the perfect tool to spread the malware further since the victim granted permission for the app to access their contact list and send SMS texts.
"What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device," Chrysalides said.
RATs have been sold online for years, enabling non-technical people to do bad things quietly and from the safety of a remote location, be it activating a device's in-built camera to snap compromising shots of victims, taking screengrabs, copying files or accessing private messages.
Also, OmniRAT is just one of many that can be used to spy on Android or desktop operating systems.
More on security
- ProtonMail coughs up $6000 to stop DDoS attack, DDoS carries on anyway
- BlackBerry Priv has a big flaw: It's a privacy flop
- Security vendor roundup: Symantec Q2 mostly flat, FireEye billings fall short
- How to check if your Android device is vulnerable to attack
- New Android adware hits thousands of apps, can't be removed