Android backdoor lurking inside legitimate apps

One of the most important pieces of advice we give Android users is to refrain from downloading applications from dubious sources and to stick to the official Google Play store. Malware does show up from time to time there, but it is much better controlled, thanks to the Google Bouncer, than on alternative app stores.

We discovered an interesting piece of Android malware that serves as a good example to emphasize the advice above. We found a RAT masquerading as several legitimate Android applications.

Let’s take a closer look at how the malware spreads, what it does, and at its connection to a story that made recent news headlines.

Distribution vectors

One of the most common infection vectors for Android malware is to disguise itself as a popular legitimate app – from various games to other more or less useful pieces of software. Quite often the legitimate functionality is present, but with a malicious aftermarket addition – the very essence of a trojan horse. And quite often the application purports to be a cracked version of a popular paid application – so the danger is greater on less-than-trustworthy app stores and forums – but this is certainly not an indisputable rule.

This backdoor trojan, which ESET detects as Android/Spy.Krysanec, was found as a malicious modification of MobileBank (a mobile banking app for Russian Sberbank), 3G Traffic Guard (an app for monitoring data usage) and a few others, including our own ESET Mobile Security.

The Android app ecosystem offers a reliable countermeasure against such unwarranted and malicious modifications, and that is by digitally signing applications with the actual developers’ certificates.

Obviously, the masqueraded Krysanec variants did not contain valid certificates. Needless to say, though, not all users carefully examine the applications they install on their smartphones, especially those who search for apps from dubious sources, whether they’re looking for cracked versions of paid apps, or whatever other reason.

The malware was found to be distributed through several channels, including a typical filesharing (think Warez) site or a Russian social network. The screenshots below show an account that was used to host the trojan lurking inside legitimate apps.


The infected applications contained the Android version of the Unrecom RAT (Remote Access Trojan), a multi-platform remote-access-tool.

In particular, the Android/Spy.Krysanec malware is able to harvest various data from the infected device, connect to its Command & Control (C&C) server and download and execute other plug-in modules.

The modules give the backdoor access on the device to:

  • Take photos
  • Record audio through the microphone
  • Current GPS location
  • List of installed applications
  • List of opened webpages
  • List of placed calls
  • Contact list
  • SMS (regular or Whatsapp)
  • And so on-¦

C&C servers

Interestingly, some of the samples that we analyzed connected to a C&C server hosted on a domain belonging to the dynamic DNS provider No-IP was in the news recently when Microsoft’s Digital Crimes Unit took over 22 of the company’s domains that were used to distribute malware. Microsoft, however, subsequently dropped the case.

While remote-access-tools for Android are less common than their Windows desktop counterparts, the main message here is to stress that users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.

Author: Robert Lipovsky, ESET.

Don't miss