Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

KevDroid Android RAT can steal private data and record phone calls

  Security researchers discovered a new Android Remote Access Trojan (RAT) dubbed KevDroid that can steal private data and record phone calls. Security researchers at South Korean cybersecurity firm ESTsecurity have discovered a new strain of Android Trojan KevDroid that is being distributed disguised as a fake anti-virus application, dubbed “Naver Defender.” “Spear phishing attacks targeting Android […]

KevDroid

 

Security researchers discovered a new Android Remote Access Trojan (RAT) dubbed KevDroid that can steal private data and record phone calls.

Security researchers at South Korean cybersecurity firm ESTsecurity have discovered a new strain of Android Trojan KevDroid that is being distributed disguised as a fake anti-virus application, dubbed “Naver Defender.”

“Spear phishing attacks targeting Android mobile devices have recently emerged.  Portal site Naver sends emails related to personal information leakage prevention to induce malicious apps to be installed.” reads the analysis published by ESTsecurity.

“This malicious app impersonates Naver with the Naver logo and the app name “Naver Defender” and takes away sensitive information such as address book, call log, and text messages.”

KevDroid is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices and spy on its owners by recording phone calls.

After the initial discovery made by cybersecurity firm ESTsecurity, experts at Talos published a detailed analysis of two variants of RAT detected in the wild.

KevDroid

“Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls.” reads the analysis published by Talos.

One of the variants exploits a known Android exploit (CVE-2015-3636) to get root access on the compromised device, this variant was dubbed KevDroid. Both variants sent data to the same command and control (C2) server through an HTTP POST.

Talos experts explained that the malicious code implemented the feature to record calls based on an open-source project available on GitHub.

The investigation about the infection vector revealed that attackers used a RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object.

The bait document used by hackers is written in Korean and contains information on Bitcoin and China.

The second RAT is targeting Windows systems it specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). This malware uses the PubNub API in order to publish orders to the compromised systems, expert dubbed it “PubNubRAT.”

The most recent variant of KevDroid malware, detected a few weeks ago, implements the following capabilities:

  • record phone calls & audio
  • steal web history and files
  • gain root access
  • steal call logs, SMS, emails
  • collect device’ location at every 10 seconds
  • collect a list of installed applications
“If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim.” continues Talos. “Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid.”

South Korean media associated the KevDroid RAT with North Korea APT Group 123.

“We do not have a strong link between the two malware samples and Group 123. The TTP overlaps are tenuous — using public cloud infrastructure as a C2 server is something other malware has used before as a technique, not just Group 123. Additionally, the C2 server is hosted in Korea, and this malware has been known to target Korean users. However, this information cannot lead us to a strong link,” Talos concluded.
The analysis published by Talos also included indicators of compromise (IoCs).
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – KevDroid, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]