Endpoint

8/15/2016
06:20 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Android DroidJack Malware Spreading Via 'Over-The Top' Services

RAT finding new ways to spread that work around carrier and phone defenses.

In a sign that malware developers are keeping up the full-court press with ingenuity in obfuscating their attacks, the powerful Android DroidJack remote access tool (RAT) was shown today to employ a new means of distribution: via so-called over the top (OTT) carrier services.

According to a report out by AdaptiveMobile, the makers of DroidJack are doing an end around of mobile carrier and on-device protections by spreading it through OTT services. OTT, which includes heavy-hitting services like Microsoft's Skype or Facebook's WhatsApp services, has grown in proliferation as mobile APIs and integration have advanced in recent years. Whether through commercial or custom-built services, the over-the-top model offers users an alternate means of routing calls or SMS messages over the Internet, rather than through their mobile carrier.

In this particular attack campaign, DroidJack was spread via SMS messages sent through the OTT carrier to unsuspecting subscribers of its services. The malicious message contains links to an APK file and users were tricked into clicking the link with the lure of a "new MMS" waiting for them to view.

Researchers from AdaptiveMobile didn't name names as to exactly which OTT carrier is being leveraged in this DroidJack attack, but they did warn that it is one among several signs that attackers are learning to take better advantage of OTT carriers and their subscribers as another profitable channel for taking over mobile devices.

"We’ve recently reported on an increase in spam messages coming from OTT accounts, as criminals are already using this bearer to send the majority of spam in North America," the AdaptiveMobile team wrote. "With the success of criminals sending spam through OTT carriers, we could be seeing a move by malware authors to follow suit and try their luck. As security controls become tighter and mobile operators work to identify and block attacks on mobile networks, bad actors are using a variety of methods and moving to different bearers."

DroidJack is hardly a sophisticated piece of malware, according to AdaptiveMobile in its analysis. Nevertheless, this latest discovery is just one that shows it is it is a good bellwether for mobile infection trends of late. In addition to the OTT attack channel, DroidJack was also found by researchers with Proofpoint to have been spread last month by a side load attack through a backdoored version of the Android Pokemon Go app. 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Are you sure this is how we get our data into the cloud?
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14633
PUBLISHED: 2018-09-25
A security flaw was found in the chap_server_compute_md5() function in the ISCSI target code in the Linux kernel in a way an authentication request from an ISCSI initiator is processed. An unauthenticated remote attacker can cause a stack buffer overflow and smash up to 17 bytes of the stack. The at...
CVE-2018-14647
PUBLISHED: 2018-09-25
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming larg...
CVE-2018-10502
PUBLISHED: 2018-09-24
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Samsung Galaxy Apps Fixed in version 4.2.18.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exist...
CVE-2018-11614
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to escalate privileges on vulnerable installations of Samsung Members Fixed in version 2.4.25. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists wit...
CVE-2018-14318
PUBLISHED: 2018-09-24
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S8 G950FXXU1AQL5. User interaction is required to exploit this vulnerability in that the target must have their cellular radios enabled. The specific flaw exists within the handling of ...