AVPasser: When Widespread Malware Adopts Targeted Attack Capabilities

We’d like to draw your attention to another new Chinese malware for Android, named AVPasser. AVPasser looks like an advanced mRAT (Mobile Remote Access Trojan) and was first discovered by Chinese researchers.

Our own follow-up research revealed a very interesting capability – self uninstall – a feature that is generally considered to be unique to targeted attacks. This self-uninstall capability is one of the first examples of mass malware adopting techniques from advanced targeted attacks.

Advanced targeted attacks have always operated very differently to simple malware:
• Self-Preservation techniques
• Remote Updating
• Stealth Capabilities
• Ability to operate in different kinds of surroundings.
The fact that malware, available to almost any attacker, is starting to behave in a similar fashion requires a new level of care when protecting enterprise devices.

Background
Before we get to that, let’s do a quick run through of AVPasser’s properties. The victim receives the app as any 3rd party app (e.g. as an email attachment, or through a secondary marketplace). The installation method itself isn’t too advanced: the user has to install the seemingly innocent app and then open one of the 3 new app icons that appear on their screen. This installs the malicious part of AVPasser while simultaneously deleting the 3 icons.

Once installed, AVPasser has the capability to:
• Record audio – both from calls and room audio.
• Take Pictures
• Collect GPS Location data
• Collect SMS Messages
• Monitor Phone State
The data is then relayed back to a server with a Chinese I.P. address.

The Unique Capability: Self-Uninstall
Lacoon’s researchers found that AVpasser’s final capability is its most intriguing one: it can uninstall itself (completely wipe itself from the memory). This does require root permissions, which AVpasser doesn’t seem to possess.

Remote uninstalling has always been an important part of advanced targeted attacks – where both initial discovery and subsequent investigations are very dangerous to the attacker. Comparatively, widespread malware developers and attackers have never really cared about being discovered.

AVPasser: Adopting Practices from Advanced Malware

As we mentioned, this is a sign that widespread malware is adopting more sophisticated, “targeted”, behavior. Our research showed that AVpasser doesn’t possess the capability to supply itself with root permissions. The seems odd due to the fact that some of its methods (including uninstalling) require root access. Does this imply that AVpasser can remotely download an exploit and provide root access when needed? If so, this signifies that AVpasser is more complicated and includes more advanced capabilities than seen in the average malware.

Finally, most Android malware is specific to a small number of devices. AVpasser doesn’t limit itself to any group of devices or brands. This could be another step forward for Android mRATs.

Looking at the bigger picture – AVpasser is a sign of things to come: widespread malware that behaves like an APT. This isn’t much of a surprise – gaps between downloadable malware and more advanced, targeted mRATs have been getting smaller for while – this is just another important step in that direction.

We are currently looking for more instances of the malware and will update on any relevant findings.