Mobile RAT for Android Offered on Darknet ForumsResearchers: 'Rogue' Steals Data, Delivers Other Malware
A recently identified mobile remote access Trojan dubbed "Rogue," which exploits Google's Firebase development platform, targets Android devices to exfiltrate personal data and can deliver other malware, according to the security firm Check Point Research.
See Also: Automating Security Operations
The Rogue RAT is being offered for sale or rent in darknet forums, Check Point says in its new report. Once a hacker uses the Trojan, portrayed to victims as a legitimate app, to infect a device, the malware can exfiltrate data, such as photos, location information, contacts and messages. It also can download additional malicious payloads, including mobile ransomware.
"When Rogue successfully gains all of the required permissions on the targeted device, it hides its icon from the device’s user to ensure it will not be easy to get rid of it. If all of the required permissions are not granted, it will repeatedly ask the user to grant them," the Check Point report notes. "If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the heart of the user appears: 'Are you sure to wipe all the data?'"
The Rogue RAT takes advantage of a targeted device's Android Accessibility Services, which are designed to assist users with disabilities, according to the report. These services generally run in the background but can access apps and other components within an Android device. By accessing these services, hackers can gain control over a device without the victim knowing, the report notes.
The developer behind Rogue is offering to rent the malware for as little as $29 a month, according to the Check Point research report. Lifetime access to the mobile RAT is offered for $189.
The report notes the Rogue RAT uses Google's Firebase platform to target and compromise as many Android devices as possible. Firebase, supported by Google Cloud Platform, is designed to help developers scale their applications.
The malware uses Firebase features, such as the Cloud Messaging Realtime Database and Cloud Firestore, as part of the command-and-control infrastructure for uploading data from the infected devices, the researchers determined. Rogue also uses Firebase to disguise its operations, enabling the malware to masquerade as a legitimate Google service app.
Check Point Research says Rogue was designed by a darknet developer called "Triangulum," who developed the Trojan by collaborating with another threat actor named "HexaGoN Dev" who specializes in Android operating system malware. The duo previously collaborated to design other Android malware variants, including cryptominers, keyloggers and phone-to-phone mobile RATs, the report states.
The two threat actors have been selling Rogue since March, the researchers say.
Triangulum, who has been active since 2017, started as an amateur by joining hacking forums, the report notes.
"We have evidence of [Triangulum] being active in recent months. This includes responses in his sale threads, daily check-ins and random chit-chat in various parts of his home darknet forums,” Yaniv Balmas, head of cyber research at Check Point Software Technologies, tells Information Security Media Group.
The Check Point researchers note that Triangulum appears to have used source code from two other Android RATs, called Cosmos and Hawkshaw, to create the Rogue malware.
In recent months, other hackers have been using Trojanized applications to target Android devices.
In November, researchers at Kaspersky uncovered a banking Trojan targeting Android devices had the capability to spy on over 150 apps, including those of banks, cryptocurrency exchanges and fintech firms, as a way to gather credentials and other data (see: Banking Trojan Can Spy on Over 150 Financial Apps).
In September, Kaspersky found source code for the Android mobile banking Trojan Cerberus in Russian circulating in underground forums. The release of this code led to an increase in attacks as well as updates to the malware by other underground developers (see: Attacks Using Cerberus Banking Trojan Surge).