ViperRAT seen active on Google Play store once again
Target: Users of Google Play Store
Attack Vector: Malware disguised in seemingly innocuous application
Summary: ViperRAT is a Remote Access Trojan (RAT) utilised by APT groups. In June 2016 it was observed being used to target and collect information on the Israeli Defence Force, affecting over 100 Israeli soldiers with over 8,000 files stolen. The malware was heavily scrutinised and received much attention from the media and analysts and after this disappeared. Due to the attack target, original suspicions centered on the Palestinian group Hamas being behind the RAT, yet the malware and social engineering techniques seemed too advanced for Hamas and it is now assumed to be the work of a far more advanced threat actor, possibly Iranian. In April 2018, ViperRAT resurfaced in the Google Play Store in a seemingly more sophisticated evolution.
As the RAT is directly on the Google Play Store, it suggests it no longer has to be pushed onto victim’s machines as a third party tool, requiring the user to enable installation, resulting in more infections. The malware possesses intelligence gathering capabilities and communicates with a Command and Control (C&C) server, feeding back collected information to threat actors.
Risk assessment summary: Whilst the threat from this version of malware is assessed as 4c LOW, the overall threat from the actors behind it is assessed as 3d MODERATE. Whilst the applications have been removed from the Google Play store, questions remain over the security of Android’s application marketplace. The Google Play Store’s screening process for applications can be bypassed if threat actors are mature, resulting in a high chance of consumers being exposed to this type of malware. This, coupled with the sheer volume of malicious applications created and used as a means of delivering malware, increases the threats of this kind in the future. The risk from this malware is also significant as it is able to control enough functions on a target device to not only collect a large amount of information, but also the means to export further malware to the target machines contacts through SMS.
The future risk this malware may pose is significant. It is suspected that the threat actors behind the malware are Iranian, and this malware may be part of a larger campaign against the West. It is likely the malware will be evolved and delivered in a more sophisticated format, driving up the risk and likelihood.