AndroRAT – Remote Access Trojan Commitment to Android and Root Injecting Systems

Android Devices

An Android Remote Access Trojan recently discovered called AndroRAT targeting Android devices that take advantage of the publicly reported weakness of critical privilege increases, and gain high-level access from targeted Andriod phones.

This Android based RAT allows you to gain advanced privileges on any Android device that has unpatched the CVE-2015-1805 execution of remote code vulnerability.

Root Exploits performs a variety of malicious tasks, such as silent installation, execution of shells, Wi-Fi password collection and display capture.

Essentially, RAT’s abuse systems like Android, Windows, and MacOS by leveraging the essential vulnerabilities on the targeting system.

How Does this AndroRAT RAT Works

AndroRAT was first created as a university project to obtain remote access from Android devices, but then used by cyber criminals and other malicious activities.

Newly discovered version of AndriodRAT as a malicious device known as TrashCleaner that contains an Android exploit.

Originally distributed via malicious Links, which are distributed via different sources such as spam, phishing and social media.

After TrashCleaner runs on Android targeting smartphones, its victim is forced to install the Chinese labeled software app that forced victims to remove the default Android calculator application.

After this malicious calculator software is downloaded on the victim’s phone, the Trashcleaner app will disappear and the RAT will be triggered from the background.

RAT will then communicate with the attacker controlled command & control server and execute a different command to steal sensitive user information.

The version triggers the embedded root exploit when executing privileged actions, according to TrendMicro. The following malicious actions in the original AndroRAT are performed:

  • Record audio
  • Take photos using the device camera
  • Theft of system information such as phone model, number, IMEI, etc.
  • Theft of WiFi names connected to the device
  • Theft of call logs including incoming and outgoing calls
  • Theft of mobile network cell location
  • Theft of GPS location
  • Theft of contacts list
  • Theft of files on the device
  • Theft of list of running apps
  • Theft of SMS from device inbox
  • Monitor incoming and outgoing SMS

In addition to the original AndroRAT features, it carries out new privileged actions:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high-resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a keylogger silently

CVE-2015-1805 patched by Google in 2016 and unpatched Android devices are still vulnerable to this AndroRAT remote Trojan access and the phone which no longer gets this security patch is also vulnerable to that Android RAT, which still has many mobile users. Micro pattern said.

IOC – SHA256

  • 2733377c14eba0ed6c3313d5aaa51171f6aef5f1d559fc255db9a03a046f0e8f
  • fde9f84def8925eb2796a7870e9c66aa29ffd1d5bda908b2dd1ddb176302eced
  • 2441b5948a316ac76baeb12240ba954e200415cef808b8b0760d11bf70dd3bf7
  • 909f5ab547432382f34feaa5cd7d5113dc02cda1ef9162e914219c3de4f98b6e


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.