A new sophisticated HijackRAT malware capable of simultaneously hacking private data, stealing banking credentials and granting hackers remote access to the infected device has been uncovered by security researchers at FireEye.
FireEye said the malware comes loaded in a malicious app called Google Service Framework and is one of the most advanced malware apps ever uncovered.
“In the past, we’ve seen Android malware that executes privacy leakage, banking credential theft, or remote access separately, but this sample takes Android malware to a new level by combining all of those activities into one app.”
The application reportedly steals and sends SMS messages, contact lists and initiates malicious app updates. It can also scan for legitimate banking apps installed on the victim machine and replace them with fakes ones.
FireEye said the malware is currently being used to defraud customers of eight popular Korean banks, but could easily be adapted by the hackers to start targeting European financial institutions.
“We found the hacker has designed a framework to conduct bank hijacking and is actively developing towards this goal,” read the report. “We suspect in the near future there will be a batch of bank hijacking malware once the framework is completed. Right now, eight Korean banks are recognised by the attacker, yet the hacker can quickly expand to new banks with just 30 minutes of work.”
The researchers said the malware is particularly dangerous as by masquerading as a Google Service Framework it is able to bypass most traditional antivirus (AV) tools.
“The package name of this new RAT malware is ‘com.ll’ and appears as Google Service Framework with the default Android icon,” read the report.
“So far, the VirusTotal score of the sample is only five positive detections out of 54 AV vendors. Such new malware is published quickly partly because the command-and-control (C&C) server, which the hacker uses, changes so rapidly.”
The malware appears to be a work in progress and it is currently unclear what the replacement fake banking apps do.
FireEye said the rapid development cycle used by the hacker building and using the malware indicates it could be a test attack and an even more dangerous evolved version could be on the horizon.
“Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps, a more robust mobile banking threat could be on the horizon,” read the report.
Malware is a growing problem facing Android users, with security vendors universally listing it as the most targeted mobile ecosystem in the world. Google announced plans to integrate Samsung’s Knox security solution into its next Android L update in a bid to help mitigate the problem in June.