Hackers target Android devices with HeroRAT malware

Cryptojacking goes mainstream
by Enterprise Innovation editors

Your Android device is now being hit by a new wave of malware attacks — including one you might unsuspectingly download from the Google Play Store, reports Stealthcare in its latest “Cyber Intelligence Alert” delivered weekly to the firm’s cybersecurity and threat assessment clients.

Jeremy Samide, Stealthcare CEO, warned: “Android is an attractive target since it is the dominant operating system globally and many of its users run outdated versions on their smartphones, tablets and other devices. At minimum, update your OS to protect your devices from this and variants we expect to see in the near future.”

Stealthcare emphasizes threat assessment as an essential cybersecurity component so that organizations can play offense in the increasingly sophisticated cyberwar. It introduced a new cybersecurity and threat assessment platform called 'Zero Day Live' in 2017.

Here's how HeroRAT works: “We initially observed the malware HeroRAT being distributed to those wishing to gain control over Android devices. This is a Remote Access Trojan that abuses the Telegramprotocol so that hackers can gain command and control (C2) for data exfiltration. By using Telegram for C2 the hackers avoid detection because the traffic is between the user and trusted upload servers.”

Samide warned clients: “Although the malware’s source code is publicly available, disreputable operators offer paid models which include customer support. HeroRAT works on all Android versions but requires the victim to accept permissions that include gaining administrator privileges. The hackers rely on various attack vectors including third-party applications, social media and messaging.”

Samide, who has supported the US Department of Defense, intelligence community and federal law enforcement agencies, continued: “Protecting widely deployed operating systems like Android from hackers of all types is not an easy task but we have to take the gloves off and fight back."

Beware Battery Saver

Additionally, the Advanced Battery Saver application you can download from the Google Play Store is laced with functionality to steal information and silently click advertisements.

“The app propagates via pop-up messages that redirect users to the its Play Store landing page. Ironically it does perform legitimate battery-saving functions,” Samide said, adding: “The ad clicking component is obviously designed to generate revenue for the operators, but it remains unknown how the operators plan to leverage stolen information from the over 60,000 users who have so far been infected.”

Through cyber intel sources, machine learning, tradecraft and other methods, Stealthcare traces malware during its early development to learn when it is going to be traded or sold and how soon it will be weaponized and deployed to those with ill intent. It has found that, during times of high international tensions, malware attacks often emerge from state actors such as China, North Korea, Iran and Russia as well as from their sympathizers.


Source: www.enterpriseinnovation.net