In The Wild: Mobile Security Observations from the Check Point Research Team

We already know mobile threats are becoming more and more sophisticated every day. As cyber criminals exploit new vulnerabilities, they also discover new techniques that make it easier to attack our smartphones and tablets. Most end users don’t fully understand the risks, and can be easily tricked into circumventing on-device protections. That means if they’re using devices for work purposes, they could be putting sensitive enterprise data at risk, as well as their own.

Recently, researchers uncovered two new mobile Remote Access Trojans (mRATs) that clever cybercriminals have tricked end-users into installing on their Android mobile devices. These mRATs are prime example of how mobile devices continue to be plagued by malware that, without the right protections, can lead to catastrophic theft of mobile data.

OmniRAT Deceives Black Friday Shoppers

Cybercriminals moved quickly this season to target Black Friday shoppers hoping to take advantage of the best holiday deals. A clever phishing scam used the promise of unbeatable sales to lure users into downloading and installing a malicious Android app dropper masquerading as the official Amazon app.

Our researchers found that the dropper and its payload are attributed to OmniRAT (SHA256: 75a1d855e53ba21743db60471ffe09299c1294db314e598c5eb0b7282424420f), a commercially-available spyphone product. Once installed, the app decodes a hidden .apk payload on a device found in a base-64 string in its resources directory. The payload .apk is a mobile mRAT that silently steals information from a user’s device and then sends it off to the attacker’s remote server.

The amount of data this mRAT can leak out to an attacker is staggering including location information, camera parameters, contacts lists, call log records, browser bookmarks and searches, system data and more.

Malware Gets In a Bind with Android

As mobile threat researchers, we’re quite used to seeing malicious Android apps attempt binding to the device administration service to avoid being removed. Lately, however, we’ve seen a few apps using a new and creative alternative: using the accessibility service.

Android’s accessibility service, as the name suggests, is designed to make data accessible for users with special needs. For example, a user with impaired vision might need an app that will read text messages out loud. These accessibility apps bind with the accessibility service in Android, giving them access to the user’s text messages in order to read them out loud.

That’s all good and well, but what if cybercriminals harness this functionality to break out of their app’s sandbox and steal private data from the user? It turns out that’s exactly what a couple of malware developers have been brewing lately.

Our story begins with a Japanese variant of the known mRAT AndroRAT. This AndroRAT variant, discovered by researchers at Lookout and named AndroRATintern, abused the accessibility service in order to leak messages from LINE, a Japanese instant messaging app. Malware developers were quick to catch on, and a whole family of irremovable malware named Shedun was discovered using the same service in the wild to gain access to data.

This new malicious pattern comes with a grain of social engineering, as users are prompted by Android’s system to grant the malicious app permission to bind with the accessibility service. And, in the case of Shedun, malware developers assuaged user concern with a precursory message explaining they should “feel at ease” about turning on the accessibility feature.


Check Point Mobile Threat Prevention will warn users about malicious apps like OmniRAT and AndroRat to help keep data safe on smartphones and tablets.


Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.