Android RAT impersonates Kaspersky Mobile Security
Posted on 05.08.2014
A clever malware delivery campaign impersonating well-known AV vendor Kaspersky Lab is actively targeting Polish Android users.

It all starts with a spam email sporting the firm's logo and warning users that a "virus" designed to steal SMS codes (mTANs) used to authorize transfers has been detected on their phones.

The email claims that the scanning of the phone was done by Kaspersky Lab, which has been commissioned to do so by the users' bank. "To prevent theft of cash from your account, please promptly install Kaspersky Mobile Security Antivirus on your mobile device," it urges, and apparently helpfully offers the security solution in the attachment.

Unfortunately, the attached file - Kaspersky_Mobile_Security.apk - is not a security solution, but a variant of the Android SandroRAT, whose source code has been made available for sale on online forums late last year.

This malware can steal the users' contact list, SMS messages, browser history, bookmarks, GPS location, as well as to intercept incoming calls and text messages, send the latter, update itself and download additional malware, use the phone's microphone to record surrounding sounds, and more.

"A novel functionality of this threat is its ability to access the encrypted Whatsapp chats and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file," McAfee researchers revealed. This functionality does not work if the user has the latest version of the popular app.

"Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware," the researchers warn. "This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks."


Best practices for ensuring compliance in the age of cloud computing

Here are the major considerations organizations should incorporate into their compliance programs, as well as pitfalls that can be avoided to ensure businesses stay compliant while using cloud computing.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Sep 3rd