Endpoint

8/15/2016
06:20 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Android DroidJack Malware Spreading Via 'Over-The Top' Services

RAT finding new ways to spread that work around carrier and phone defenses.

In a sign that malware developers are keeping up the full-court press with ingenuity in obfuscating their attacks, the powerful Android DroidJack remote access tool (RAT) was shown today to employ a new means of distribution: via so-called over the top (OTT) carrier services.

According to a report out by AdaptiveMobile, the makers of DroidJack are doing an end around of mobile carrier and on-device protections by spreading it through OTT services. OTT, which includes heavy-hitting services like Microsoft's Skype or Facebook's WhatsApp services, has grown in proliferation as mobile APIs and integration have advanced in recent years. Whether through commercial or custom-built services, the over-the-top model offers users an alternate means of routing calls or SMS messages over the Internet, rather than through their mobile carrier.

In this particular attack campaign, DroidJack was spread via SMS messages sent through the OTT carrier to unsuspecting subscribers of its services. The malicious message contains links to an APK file and users were tricked into clicking the link with the lure of a "new MMS" waiting for them to view.

Researchers from AdaptiveMobile didn't name names as to exactly which OTT carrier is being leveraged in this DroidJack attack, but they did warn that it is one among several signs that attackers are learning to take better advantage of OTT carriers and their subscribers as another profitable channel for taking over mobile devices.

"We’ve recently reported on an increase in spam messages coming from OTT accounts, as criminals are already using this bearer to send the majority of spam in North America," the AdaptiveMobile team wrote. "With the success of criminals sending spam through OTT carriers, we could be seeing a move by malware authors to follow suit and try their luck. As security controls become tighter and mobile operators work to identify and block attacks on mobile networks, bad actors are using a variety of methods and moving to different bearers."

DroidJack is hardly a sophisticated piece of malware, according to AdaptiveMobile in its analysis. Nevertheless, this latest discovery is just one that shows it is it is a good bellwether for mobile infection trends of late. In addition to the OTT attack channel, DroidJack was also found by researchers with Proofpoint to have been spread last month by a side load attack through a backdoored version of the Android Pokemon Go app. 

 

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20173
PUBLISHED: 2018-12-17
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
CVE-2017-18352
PUBLISHED: 2018-12-17
Error reporting within Rendertron 1.0.0 allows reflected Cross Site Scripting (XSS) from invalid URLs.
CVE-2017-18353
PUBLISHED: 2018-12-17
Rendertron 1.0.0 includes an _ah/stop route to shutdown the Chrome instance responsible for serving render requests to all users. Visiting this route with a GET request allows any unauthorized remote attacker to disable the core service of the application.
CVE-2017-18354
PUBLISHED: 2018-12-17
Rendertron 1.0.0 allows for alternative protocols such as 'file://' introducing a Local File Inclusion (LFI) bug where arbitrary files can be read by a remote attacker.
CVE-2017-18355
PUBLISHED: 2018-12-17
Installed packages are exposed by node_modules in Rendertron 1.0.0, allowing remote attackers to read absolute paths on the server by examining the "_where" attribute of package.json files.