DroidJack RAT spreads through infected Pokémon GO APK.
Popular mobile games are the productive attack vector for cyber criminals, and Pokemon's GO Android augmented reality game released last week is the latest proof of this.
The first game Pokemon sanctioned by Nintendo for iOS and Android devices was released in Australia and New Zealand on July 4 and landed in the United States on July 6 but the rest of the world did not receive it through the official channels. Three days after arriving in the US, Pokemon GO has become one of the most used applications in the Google Play Store, SimilarWeb shows data.
For cyber criminals, it is a great opportunity, and they were quick to take advantage of this: the modified package Pokemon GO APK malicious remote access tool (RAT) is called DroidJack was seen in less than 72 hours after the game has been officially released. The objectives of this game were the attackers outside the three geographic regions, which are expected to result in third-party portals, to capture it.
It is not uncommon for users to turn to third parties to capture the application or game is not available in your area, especially when many publications provide detailed information on how you can make side-loading. However, applications downloaded from unofficial portals often carry hidden risks, the main reason that users are always warned against this practice.
In the case of Pokemon the GO, the attackers were very quick about it: they have created a malicious APK for three days after the initial start-up, taking advantage of the hype surrounding the official games. However, those of installing this program is a third party may have been warned about his malice if they paid special attention to the requested permissions.
DroidJack (also known as SandroRAT) malware hidden in an unusual APK asked permission during installation, researchers explain Proofpoint. These include the permission to read and edit text messages, make phone calls, record sounds, edit contacts, bookmarks and read the Web History, connect to Wi-Fi, as well as applications running at startup.
All these permits fall in line with functionality that has been associated with DroidJack, a mobile threat that has been around since 2014, the Trojan can steal user messages, call logs, contacts, browser history and installed applications, and can also execute remote commands, such how to take pictures, record video calls, send SMS and more.
Released on Google Play, as the Android in 2013, DroidJack was originally designed as a legitimate application that allows users to control your computer from your Android device. SandroRAT first appeared in December 2013 on the hacker forum, but DroidJack version was announced in June 2014 it was suggested to your own website for $ 210 for the whole package of life, the Symantec researchers showed in 2014 in November.
In October 2015, European law enforcement agencies raided the suspects coordinated DroidJack users who bought malware and used it in 2014 and 2015. In November 2015, researchers analyzed OmniRAT, Android tool as DroidJack, it was originally designed as a legal application remotely manage Android devices, but later became malicious.
According to Proofpoint, Pokemon game GO has been modified in such a way meant to trick users, believing that they have established a real game, and both versions have the same start screen. The good news is that the APK was not observed in the wild, although the researchers noted in a malicious file storage service.
Security researchers also explain that DroidJack RAT is configured to communicate with a command and control (C & C) Pokemon domain [.] No-IP [.] Org via TCP and UDP port 1337. C & C domain is enabled for Turkey IP-addresses (88.233.178 [.] 130), the researchers said, adding that the IP does not accept connections from infected devices during analysis.
Although the infected Pokemon GO APK was not observed in live attacks, it is an excellent example of why users should always download applications only from trusted sources. Cybercriminals closely follow the trend of apps and games, and, of course, prey on their popularity to carry out their nefarious activities.
"Installing apps from third-party sources, except officially tested and authorized corporate app stores, is never recommended. Official and corporate app stores have procedures and algorithms to verify the reliability of mobile security applications, as well as side-loading applications from other, often dubious sources, putting users and their mobile devices for a variety of malicious software, "say the researchers Proofpoint.