New Android Malware Is Spreading Through Third-Party App Markets

ESET sounds the alarm after Krysanec RAT is found piggybacking on top of its own security app

Security researchers at ESET have discovered a new strain of Android malware that is distributed through the unofficial app markets.

The company took a special interest in Krysanec Remote Access Tool (RAT) after it realised that cyber criminals had the nerve to ship malicious code on top of ESET’s own mobile security app.

What makes Krysanec particularly insidious is it still allows for full functionality of the host application, so the victims do not suspect there was something wrong with their download.

False pretenses

According to ESET, Android/Spy.Krysanec gives the attacker full access to the infected device. It enables them to take photos, record audio through the microphone, access current GPS location, list of installed applications, browser history and call history. The RAT can also send SMS, including to premium numbers which could have been set up by cyber criminals in advance.

Android-Spy.Krysanec-control-panelKrysanec has been spotted piggybacking on top of popular applications like 3G Traffic Guard and the mobile banking app for Sberbank, the largest bank in Russia and third largest in Europe.

So far, ‘carrier’ apps have only been spotted on unofficial markets: ESET says Google Play Store is safe thanks to the work of Google Bouncer, an automatic system that constantly scans both new and existing apps. Meanwhile, countless third-party websites blatantly ignore any safety recommendations especially those that offer pirated Android software.

“Interestingly, some of the samples that we analysed connected to a C&C server hosted on a domain belonging to the dynamic DNS provider no-ip.com,” wrote Robert Lipovsky, malware researcher at ESET.

No-IP was in the news recently when Microsoft’s Digital Crimes Unit took over 22 of the company’s domains that were used to distribute malware. Microsoft, however, subsequently dropped the case.

“While remote-access-tools for Android are less common than their Windows desktop counterparts, the main message here is to stress that users should download not only our ESET Mobile Security but any application only from trustworthy sources, such as the official Google Play store. And even there, exercise caution by carefully examining the permissions requested by the app.”

Do you know your famous hackers? Take our quiz!