06:20 PM
Connect Directly

Android DroidJack Malware Spreading Via 'Over-The Top' Services

RAT finding new ways to spread that work around carrier and phone defenses.

In a sign that malware developers are keeping up the full-court press with ingenuity in obfuscating their attacks, the powerful Android DroidJack remote access tool (RAT) was shown today to employ a new means of distribution: via so-called over the top (OTT) carrier services.

According to a report out by AdaptiveMobile, the makers of DroidJack are doing an end around of mobile carrier and on-device protections by spreading it through OTT services. OTT, which includes heavy-hitting services like Microsoft's Skype or Facebook's WhatsApp services, has grown in proliferation as mobile APIs and integration have advanced in recent years. Whether through commercial or custom-built services, the over-the-top model offers users an alternate means of routing calls or SMS messages over the Internet, rather than through their mobile carrier.

In this particular attack campaign, DroidJack was spread via SMS messages sent through the OTT carrier to unsuspecting subscribers of its services. The malicious message contains links to an APK file and users were tricked into clicking the link with the lure of a "new MMS" waiting for them to view.

Researchers from AdaptiveMobile didn't name names as to exactly which OTT carrier is being leveraged in this DroidJack attack, but they did warn that it is one among several signs that attackers are learning to take better advantage of OTT carriers and their subscribers as another profitable channel for taking over mobile devices.

"We’ve recently reported on an increase in spam messages coming from OTT accounts, as criminals are already using this bearer to send the majority of spam in North America," the AdaptiveMobile team wrote. "With the success of criminals sending spam through OTT carriers, we could be seeing a move by malware authors to follow suit and try their luck. As security controls become tighter and mobile operators work to identify and block attacks on mobile networks, bad actors are using a variety of methods and moving to different bearers."

DroidJack is hardly a sophisticated piece of malware, according to AdaptiveMobile in its analysis. Nevertheless, this latest discovery is just one that shows it is it is a good bellwether for mobile infection trends of late. In addition to the OTT attack channel, DroidJack was also found by researchers with Proofpoint to have been spread last month by a side load attack through a backdoored version of the Android Pokemon Go app. 



Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.