Rana Android Malware Updates Allow WhatsApp, Telegram IM Snooping


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers have discovered new samples of a previously discovered Android malware, which is believed to be linked to the APT39 Iranian cyberespionage threat group. The new variant comes with new surveillance capabilities – including the ability to snoop on victims’ Skype, Instagram and WhatsApp instant messages. [...]

“It’s important to remember that there are many reasons that cause threat groups to turn their focus to specific targets,” said researchers with ReversingLabs in a Monday analysis. “Whether it’s political dissidents, opposition in countries under authoritarian regimes, or corporations the threat actors goal is to make gains monetarily or politically.”

It’s unclear what the initial infection point is for this malware. Threatpost has reached out to researchers for further details.
While previously, the malware had information stealing and remote access functionality, researchers found that the variant takes it a step further by utilizing mobile accessibility services in order to target victims’ instant messaging applications. Android’s Accessibility Service, which has previously been leveraged by cybercriminals in Android attacks, assists users with disabilities. They run in the background and receive callbacks by the system when “AccessibilityEvents” run. Bad actors have leveraged these services to gain the permissions necessary to snoop in on victims’ phones.

This particular malware uses accessibility services in order to monitor a full list of messages on communications applications, including the Android Instagram app, Skype, Telegram, Viber and WhatsApp.
The malware also now includes various commands, such as the ability to receive commands from the command and control (C2) server that are sent by SMS: “In that case, the malware intercepts the received SMS and, if it starts with a predefined command header, the malware aborts further propagation of the SMS_RECEIVED Intent,” said researchers. “This prevents the received SMS from ending up in the default SMS application.”

The malware can also take photos and record audio on the victims’ phones – as well as automatically answer calls from specific phone numbers.
“The malware also enables scheduling a device boot at some specific moment, ensuring malware activation even when someone turns off the phone,” said researchers.