Iranian VXers unleash RATs to bite popular Android devices

Future threat researcher Rodrigo Bijou says Iranian hackers have made Android a priority for attacks with remote access trojans.

The San Francisco consultant says attackers are preferring AndroRAT and DroidJack over common trojans like njRAT and DarkComet.

Android is the most popular mobile OS in the Middle East and Africa, where it runs on more than 80 percent of devices according to number crunchers at IDC.

Bijou (@rodrigobijou) says he learned of the attack trend after assessing six months' worth of chatter on underground crime forums.

"Looking at the last six months of activity on prominent Iranian hacking forums, discussions are dominated by interest in RATs that target Android devices," Bijou says.

"The sustained Iranian interest in [the older] AndroRAT, despite its age and declining chatter from other sources, could be due to the easy download access, including GitHub repositories, and available community support for deploying the malware.

"The two RATs in particular, AndroRAT and DroidJack, are likely popular among hacking forum members due to the same reasons as njRAT – open access to download or purchase, strong community support, and ease of use."

DroidJack is reckoned to be the handiwork of several developers based in Chennai, India.

Bijou says the malware sports dozens of features, including interception of SMS, contacts, call logs, and browser histories along with credential-snatching.

Both remote access trojans can be woven into legitimate-looking apps to trick victims into installing it.

The popularity of the malware stands in contrast to other crimeware favoured on other underground sites.

Bijou reckons malware targeting Android in the region will only increase. ®