Several recent developments in mobile malware are conspiring to raise the threat level for Android users, making it easier for attackers to convert legitimate applications into malicious apps and to undermine the technology that security experts use to tell the difference.
Last week, Symantec warned about a new malware toolkit or “binder” designed to Trojanize legitimate Android apps with a backdoor that lets miscreants access infected mobile devices remotely. Binders have been around in a variety of flavors for many years, but they typically are used to backdoor Microsoft Windows applications.
Symantec notes that the point-and-click Androrat APK Binder is being used in conjunction with an open-source remote access Trojan for Android devices called called AndroRAT. “Like other RATs, it allows a remote attacker to control the infected device using a user friendly control panel,” Symantec’s Andrea Lelli wrote. “For example, when running on a device, AndroRAT can monitor and make phone calls and SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device.”
The company said while it has detected only a few hundred AndroRAT infections worldwide, but that it expects that number increase as more tools for AndroRAT like the APK binder emerge.
Perhaps more worryingly, Symantec said this week that it had discovered two malicious Android apps in the wild that take advantage of a newly discovered and potentially quite serious security hole in Android applications. As first outlined roughly two weeks ago by researchers at BlueBox Security, the so-called “Master Key” vulnerability could let attackers convert almost any Android application into a Trojan, all without altering its cryptographic digital signature. Android uses these signatures to determine if an app is legitimate and to verify that an app hasn’t been tampered with or modified.