The Spy in Your Pocket, Part 1: An Overview of Mobile Remote Access Trojans (mRATs)

We’re excited to present at the upcoming RSA 2014 at the end of the month. Our talk “Practical Attacks against MDM Solutions (and What You Can Do About It)” is going to focus on various threats to mobile devices and how mobile Remote Access Trojans (mRATs) are able to bypass current detection solutions.

Leading up to the conference, we’d like to provide you with this short series overviewing mRATs. We hope you’ll find this educational series not only interesting, but useful as well when planning your mobile security strategy.

Overview

As its name implies, a mobile Remote Access Trojan (mRAT) takes full control of the sensors and the hardware of the mobile device without the owner’s knowledge.
An mRat on an infected employee’s device is capable of:

1. * Snooping on corporate emails containing contracts
2. * Eavesdropping on customer or board meetings
3. * Accessing 3rd party apps such as Skype
4. * Retrieving the data of enterprise-dedicated apps in order to track roadmap activities
5. * Tracking a sales executive location
6. * Infiltrating the internal corporate network to retrieve, for example, sensitive passwords of corporate servers

What types of mRATs exist?

The spectrum of mRATs ranges from high-end ones used by governments, to those used within cybercrime toolkits; and even less sophisticated mRATs which are basically commercial surveillance toolkits:

1. * On the high-end, there are military-grade mRATs, which are mainly created for and used by the governments. In fact, several sophisticated mRATs have already gained notoriety in the past year such as FinFisher – a law enforcement mRAT which tracked individuals in over 25 countries. FinFisher, purportedly sold for about $280,000, included capabilities such as remote infection, activating the mobile’s microphone, taking screenshots and bypassing encryption methods.
2. * The mid-range of mRATS are mostly used by cyber-criminals. In this category, we can find, for example, AndroRAT which is an open-source mRAT toolkit which cyber-criminals can freely re-package within legitimate Android apps.
3. * On the lower end are commercial mobile surveillance tools, sometimes targeted as parental controls and spouse monitoring. These are effectively used also for personal and corporate espionage as well as by law enforcement agencies, with some selling these wares for as little as $50 a year.

mRATs in the Wild

To get a clear notion of how prevalent mRATs are in reality, Lacoon Mobile Security partnered in June 2013 with a global cellular network provider and randomly sampled 650,000 subscribers. Here are the results:

A few interesting results include:

1. * Nearly half of mRAT-infected devices were iOS-based. It comes to show that when discussing mobile targeted threats, iOS is certainly vulnerable to this type of attacks.
2. * 13% of compromised devices were iOS6-based (the latest iOS version at the time the study was conducted) which signified that the attacks were relatively new as commercial mobile surveillance tools do not survive OS updates.

Infection methods

Infection of mobile devices can be done remotely – such as via receiving an email containing the malware, or locally – for example, through the usage of a USB cable.

The various infection methods differ between Android and iOS-based device. In our upcoming entries on mRATs, we’ll delve into each operating system separately.