Hide and Seek: An Investigation into changing dynamics of Android APT’s

Jagadeesh Chandraiah, Sophos

Android APT’s are still a major concern on the Android platform. Every now and then, we see Android APT reports. As technology advances, we can see improvements in the way Android APT’s target their victims, and major change in the dynamics of Android APT ecosystem.

Android APT malware have started to use advanced infection vectors, where they are using Trojanised Football World cup and dating applications to lure its victims on Google play store. Extensive use of social media applications like Facebook, Facebook groups and Twitter pages, where they create fake profiles to target victims, use of WhatsApp messenger application to distribute payloads with fake messages. In some cases, they drive the victims to compromised waterhole websites.

Concerning behavior of the payload of the APT’s, we are seeing an increasing change in data exfiltrated and what data they target. With the rise in the use of social media applications, they target data from apps like WhatsApp, Viber, and Facebook, etc. They target your phone calls, audio, GPS and contact details. Bot and RAT (remote administration) capabilities are added to control the victim from remote sites.

In this presentation, we want to look into recent Android APT’s found in Google play store and in the wild like GlanceLove, SkyGofree, DarkCarcal, and Red Dawn. Investigate their attack process by looking into infection vectors, social engineering techniques, payloads and bot abilities. We will also discuss the possible countermeasures to tackle this increasing threat type.

Jagadeesh Chandraiah

Jagadeesh Chandraiah is a Threat Researcher at SophosLabs, specializing in Windows and mobile malware analysis. Jagadeesh regularly presents his research at international security conferences like DeepSec, AVAR, CARO, and Virus Bulletin. Outside of work, Jagadeesh enjoys playing badminton.

The Dynamic Security Ecosystem
Other Topics