Cybercrime, fraud and cybercrime management, fraud risk management
Researchers: ‘Rogue’ steals data, supplies other malware
Akshaya Asokan (asokan_akshaya) •
January 13, 2021
A recently identified mobile remote access Trojan, dubbed “Rogue,” which exploits Google’s Firebase development platform, targets Android devices to exfiltrate personal data and may spread other malware, according to the report. security company Check Point Research.
See also: Roundtable: cybersecurity over the next 4 years
The Rogue RAT is being offered for sale or rental on darknet forums, Check Point says in its new report. Once a hacker uses the Trojan, presented to victims as a legitimate application, to infect a device, the malware can exfiltrate data, such as photos, location information, contacts, and messages. It can also download additional malicious payloads, including mobile ransomware.
“When Rogue obtains all the required permissions on the targeted device, he hides his icon from the device user to ensure that it won’t be easy to get rid of. If all the required permissions are not granted, it will repeatedly ask the user to grant them, ”the Check Point report notes. “If the user attempts to revoke the administrator permission, an on-screen message designed to strike terror into the user’s heart appears:” Are you sure you erase all data? “”
The Rogue RAT takes advantage of a targeted device’s Android accessibility services, which are designed to help users with disabilities, according to the report. These services usually run in the background, but can access apps and other components of an Android device. By accessing these services, hackers can take control of a device without the victim’s knowledge, the report notes.
The developer behind Rogue is offering to rent the malware for as little as $ 29 per month, according to the Check Point research report. Lifetime access to mobile RAT is available for $ 189.
The report notes that the Rogue RAT uses Google’s Firebase platform to target and compromise as many Android devices as possible. Firebase, supported by Google Cloud Platform, is designed to help developers scale their applications.
The malware uses Firebase features, such as Cloud Messaging real-time database and Cloud Firestore, as part of the command and control infrastructure to download data from infected devices, the researchers determined. Rogue also uses Firebase to conceal its operations, allowing the malware to impersonate a legitimate Google service application.
Check Point Research Says Rogue Was Designed By A Darknet Developer Called “Triangulum”, Who Developed The Trojan By Collaborating With Another Threat Player Named “HexaGoN Dev” Who Specialized In Operating System Malware Android. The duo have previously collaborated to design other variants of Android malware, including cryptominers, keyloggers and mobile phone-to-phone RATs, the report says.
The two threat actors have been selling Rogue since March, researchers said.
Triangulum, which has been active since 2017, started out as an amateur by joining hacking forums, the report notes.
“We have evidence of [Triangulum] be active in recent months. This includes responses in his sales feeds, daily check-ins and random chatter in various parts of his home darknet forums, ”Yaniv Balmas, head of cyber research at Check Point Software Technologies, told Information Security Media Group.
Check Point researchers note that Triangulum appears to have used the source code of two other Android RATs, called Cosmos and Hawkshaw, to create the Rogue malware.
In recent months, other hackers have used Trojan applications to target Android devices.
In November, Kaspersky researchers discovered that a banking Trojan targeting Android devices had the ability to spy on more than 150 apps, including those from banks, cryptocurrency exchanges, and fintech companies. in order to collect identifying information and other data (see: Banking Trojan can spy on over 150 financial applications).
In September, Kaspersky found the source code for the Cerberus Android mobile banking Trojan in Russian circulating in underground forums. The release of this code resulted in an increase in attacks as well as malware updates by other underground developers (see: Attacks Using Cerberus Banking Trojan Surge).