A newly launched android remote access Trojan known as “Rogue,” which exploits Google’s Firebase development platform, targets the Android devices to access personal data and can deliver other malware, according to the security firm.
The Rogue RAT is being offered to purchase by the darknet forums, Check Point says in its new report. Once a hacker uses the Trojan, portrayed to victims as a legitimate app, to infect a device, the malware can exfiltrate data, such as photos, location information, contacts and messages. It also can download additional malicious payloads, including mobile ransomware.
“When Rogue successfully gains all of the required permissions on the targeted device, it hides its icon from the device’s user to ensure it will not be easy to get rid of it. If all of the required permissions are not granted, it will repeatedly ask the user to grant them,” the Check Point report notes. “If the user tries to revoke the admin permission, an onscreen message designed to strike terror in the heart of the user appears: ‘Are you sure to wipe all the data?'”
The Rogue RAT takes advantage of a targeted device’s Android Accessibility Services just like the one very popular androrat, which are designed to assist users with disabilities, according to the report. These services generally run in the background but can access apps and other components within an Android device. By accessing these services, hackers can gain control over a device without the victim knowing, the report notes.
The developer behind Rogue is offering to rent the malware for as little as $29 a month, according to the Check Point research report. Lifetime access to the mobile RAT is offered for $189.
In recent months, other hackers have been using Trojanized applications to target Android devices.
In November, researchers at Kaspersky uncovered a banking Trojan targeting Android devices had the capability to spy on over 150 apps, including those of banks, cryptocurrency exchanges and fintech firms, as a way to gather credentials and other data. In September, Kaspersky found source code for the Android mobile banking Trojan Cerberus in Russian circulating in underground forums. The release of this code led to an increase in attacks as well as updates to the malware by other underground developers.
The report notes the Rogue RAT uses Google’s Firebase platform to target and compromise as many Android devices as possible. Firebase, supported by Google Cloud Platform, is designed to help developers scale their applications.
The malware uses Firebase features, such as the Cloud Messaging Realtime Database and Cloud Firestore, as part of the command-and-control infrastructure for uploading data from the infected devices, the researchers determined. Rogue also uses Firebase to disguise its operations, enabling the malware to masquerade as a legitimate Google service app.