Android RAT impersonates Kaspersky Mobile Security

A clever malware delivery campaign impersonating well-known AV vendor Kaspersky Lab is actively targeting Polish Android users.

It all starts with a spam email sporting the firm’s logo and warning users that a “virus” designed to steal SMS codes (mTANs) used to authorize transfers has been detected on their phones.

The email claims that the scanning of the phone was done by Kaspersky Lab, which has been commissioned to do so by the users’ bank. “To prevent theft of cash from your account, please promptly install Kaspersky Mobile Security Antivirus on your mobile device,” it urges, and apparently helpfully offers the security solution in the attachment.

Unfortunately, the attached file – Kaspersky_Mobile_Security.apk – is not a security solution, but a variant of the Android SandroRAT, whose source code has been made available for sale on online forums late last year.

This malware can steal the users’ contact list, SMS messages, browser history, bookmarks, GPS location, as well as to intercept incoming calls and text messages, send the latter, update itself and download additional malware, use the phone’s microphone to record surrounding sounds, and more.

“A novel functionality of this threat is its ability to access the encrypted Whatsapp chats and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file waddb.sr,” McAfee researchers revealed. This functionality does not work if the user has the latest version of the popular app.

“Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware,” the researchers warn. “This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks.”