08 August 2012

Android Malware in Luckycat Servers

We know that threat actors take time to study the network environments of their prey. As employees go more and more mobile, the emergence of mobile malware in targeted attacks seems to be a logical progression. For the past few months, however, this notion has been all speculation—and we wondered, not if, but when it will happen.


Today, we can say for sure: it has.

At DEFCON TrenMicro presented  first time the file infector viruses could be written on Android and we are now seeing the first tangible evidence that threat actors are expanding their target base—targeted attacks onto mobile platforms. Specifically, we have discovered 2 APKs in early stages of development while monitoring a Luckycat C&C server. You will recall the Luckycat report as one of the more comprehensive write-ups about a targeted attack operating inside enterprise networks.

The Android apps we found had RAT-like functionality. They can explore a device to seek out sensitive information. They can upload this information to remote servers. They can also download files to acquire a newer version of the malware.

A remote shell is also available as one of the commands in the apps but the current APKs appear incomplete in this regard. In fact, overall, the apps look like they are still in the early stages of development.

What do these findings mean?

For the BYOD phenomenon, the existence of these apps demonstrate even more vividly the risks of allowing smartphones and tablets to connect to the corporate network in an unsecure manner. Mobile devices may be small, handy, and convenient, but they can open users to the same threats that used to be the sole domain of the desktop.

When it comes to targeted attacks, this development suggests that threat actors are actively adapting to the specific network environment trends of their targets. In this case, the influx of mobile devices in corporate networks. In the paper, we also touch on SABPUB, a Mac malware used in the Luckycat campaign, where Mac has long been considered an “alternative” OS that cybercriminals overlook in favor of Windows.

Read about this important finding in Adding Android and Mac OS X Malware to the APT Toolbox authored by our researchers Nart Villeneuve, Ben April, and Xingqi Ding. Click the icon below to download the paper.


AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date