Authors: Tianfang Guo, Jinjian Zhai
Days ago, Lukas Stefanko from ESET discovered a new Remote Access Tool (RAT), which was disguised as a music app, and uploaded to Google Play.
Once a victim installed it, the RAT could be activated by a remote attacker’s command at any time, and complete a series of malicious behaviors, including:
- Retrieving call log/contacts/SMS/location
- Uploading/downloading/removing arbitrary files
- Sending SMS to subscribe fee-based services
- Turning your phone to a spy camera
What makes this RAT special is, it used Baidu’s push notification service for the command & control, instead of using a command & control server and HTTP traffics.
The notification service on Android is implemented by a 3rd party service provider, Google Cloud Messenger(GCM) is the the most commonly used one, which is free, and used by millions of apps. While Baidu’s Cloud Push service is the Chinese version of GCM (as the latter one is not accessible in mainland China). Apparently, the hacker has bet on Baidu won’t interfere with his business.
Using the notification service for command & control is quite a new way for a RAT, for those advantages:
- No need for server side – Baidu’s server will take care of everything, from command console to push service.
- Hard to be detected – Network traffic has no difference from normal push notifications
Despite the Elven Path Blog, this app has been on Google Play for nearly 6 months, and still be able to download from some 3rd party app markets. The submission record on VirusTotal in Oct 2014 is highly possible to be submitted by the malware writer as a pre-release experiment of the malware detection by AV products. And no Antivirus could detect it at that time due to the lack of behavioral based mobile threat protection solutions.
A successful disguise and innovative communication channel, that’s how a malware could survive for an impressively long time. We’ll keep watching for this kind of threats, and update via our blog.
Special Thanks to Steven Chen for providing us the sample.