Researchers at Lookout have identified a mobile trojan called xRAT with extensive data collection functionality and the ability to remotely run a suicide function to avoid detection. The malware is associated with the high-profile Xsser / mRAT malware, which made headlines after targeting both iOS and Android devices of pro-democracy Hong Kong activists in late 2014.
xRAT has many similarities with mRAT, it has the same structure and uses the same decryption key. The analysis of the code revealed that both malware uses the same naming conventions that suggest both malicious codes were developed by the same threat actor.
According to researchers from security firm Lookout, the command and control (C&C) servers used for the xRAT malware is the same of a Windows malware, a circumstance that suggests the threat actor is composed of experienced experts.
xRAT supports an impressive set of capabilities that include flexible reconnaissance and information gathering, detection evasion, specific checks for antivirus, app and file deletion functionality.It also searches for data belonging to popular communications apps like QQ and WeChat.
Listed below are the types of data gathered by xRAT and features that enable it to perform reconnaissance, run remote code, and exfiltrate data from Android devices:
To avoid detection, the xRAT implements a “suicide” function that could be triggered to clean the installation on the infected mobile device.
The developers behind xRAT created an alert system, flagging to the malware operator if any of the following antivirus applications are present on a compromised device.
xRAT can be remotely instructed to perform a wide range of deletion operations, such as removing large portions of a device or attacker-specified files like images from certain directories on the SDCard, all apps and data from /data/data/, and all system apps from /system/app/.
Most of the C&C infrastructure used by xRAT in the past were based in China, but sample recently analyzed by the company were located in the United States.
As anticipated, the C&C infrastructure also controlled a Windows malware, the experts also noticed a malicious executable named MyExam, this means that “the actors behind this family may be continuing to target students, similar to how attackers used mRAT during the protests in 2014.”