With the worldwide popularity of Android and its open-source software, hackers have an increased incentive and opportunity to orchestrate attacks. A Google search for “Android malware” brings up headlines like these, all from the past few days or weeks:
SecurityScorecard recently analyzed a specific threat known as the AhMyth RAT (remote access trojan), which made headlines for infiltrating a popular screen recording app on the Google Play Store. Note: The version we analyzed is not the same as the one used in that attack, but they share most of the same functionalities since they’re both based on the AhMyth RAT.
This particular RAT will likely be used in future attacks, which underscores the goal of this post: to help the security community comprehend and mitigate this looming threat.
Our approach to analyzing AhMyth RAT can also serve as a guideline for analyzing other malicious APK (Android Package Kit) files.
You can find SecurityScorecard’s full analysis of the AhMyth RAT here.
Main findings and RAT capabilities
AhMyth is an open-source Android RAT freely available on GitHub. Unsurprisingly, malicious actors seized the opportunity and quickly began using it to orchestrate attacks.
The malicious application covered in SecurityScorecard’s whitepaper was analyzed using jadx, which produced the Java source code from the APK file. As indicated in the Sandbox report, the application impersonates Google Play, the official online marketplace for Android apps.
The file “AndroidManifest.xml” is a central place where developers can indicate essential information about their application to the Android system, including request permissions that the application needs. Here are the requested permissions for this application:
The malware has registered to receive the BOOT_COMPLETED intent to achieve persistence on the phone. BOOT_COMPLETED is used if developers want their app to run code every time the system finishes booting.
The image below shows that the application is based on the open-source AhMyth RAT:
Let’s look at some of the malicious code the application contains to exfiltrate data.
The RAT retrieves the phone contacts and constructs a JSON file that contains all of them:
The application retrieves all Inbox SMS messages from “content://sms/inbox”:
Additional capabilities include
- Sending SMS messages
- MP3 recording of the device’s microphone
- GPS location extraction, etc.
Read the whitepaper for the full details of our analysis.
How to protect your organization from Android malware
Organizations are increasingly adopting a remote working culture, which usually comes with a BOYD (Bring Your Own Device) policy that allows employees to use their personal devices for work-related activities.
Follow these best practices to ensure employee devices remain secure with minimal oversight from your organization:
- Implement a robust Mobile Device Management (MDM) policy to monitor, manage, and secure employees’ mobile devices.
- Regularly update all devices to the latest software version, as updates often include security patches.
- Install applications exclusively from trusted sources to avoid malicious apps.
- Use strong, unique passwords and enable two-factor authentication wherever possible.
- Invest in reputed antivirus software specifically designed for Android devices.
- Train staff on safe online behaviors, making them aware of phishing scams and suspicious links.
Investigate potential phone intrusions with SecurityScorecard
SecurityScorecard’s Digital Forensics solutions can help your organization extract and recover information and data from mobile devices, including phone calls, chat messages, images, videos, and hidden artifacts. By conducting both static and dynamic analysis, we can dissect and understand attacks, eliminate infection effectively, and examine malware behavior.
If you’ve been involved in a mobile device attack or suspect a breach, request a consultation with a Digital Forensics expert now.