The return of the SpyNote RAT as a fake Netflix app in late January gave notice that Remote Access Trojans may be the next large scale cyber threat. Originally surfaced in the summer of 2016, SpyNote is a robustly featured malware that gives its owners remote administrative control of the Android device on which it is installed.
In its most recent appearance, the SpyNote RAT masqueraded as a Netflix app. This variant, circulated outside of the Google Play Store, displays the same home screen icon as the official Netflix app once it is installed; clicking on the icon causes it to disappear from the home screen (conning the unwitting user into thinking there was an installation error) while the malware starts working in the background. The SpyNote RAT establishes a connection with its C&C server and registers as a boot event – giving it a degree of persistence. Once running, the malware’s owners can transfer files, copy contacts, listen to live audio through the device’s microphone, and control the device’s camera – among other options.
While Windows-focused remote access Trojans are typically downloaded through malicious emails and web-links, the Android targeting apps are circulated as APKs outside of the Google Play Store. Android variants posing as Facebook and PokémonGo apps have also surfaced. They share capabilities such as keylogging, screen capture, hardware media capture, administrative rights, file transfer and overclocking.
Protecting your organizations network and devices from RAT attacks usually involves two key components: safeguarding your network and minimizing the impact of user error. Keep your OS and security programs up-to-date and utilize remote access tools that allow for a higher level of security to adhere to best practices for network security. Limit the havoc that user error can cause by reminding users not to click on links from suspect emails nor to install APKs from outside of the Google Play Store on their Android devices.