Android Malware 'Rogue' Can Give Hackers Full Access Of Your Phone And Is Actively Spreading
A new Android malware named Rogue has come to light that is able to provide hackers with near-full access to a targeted smartphone. Cyber security experts have found the malware being actively distributed through a network on the dark web. The threat actor responsible for the malware is described in a new report by Check Point Research.
A new Android malware named 'Rogue' has come to light that is able to provide hackers with near-full access to a targeted smartphone. Cyber security experts have found the malware being actively distributed through a network on the dark web.
The threat actor responsible for the malware is described in a new report by Check Point Research. Researchers at the firm started mapping activities of the threat actor using the nickname ¡®Triangulum¡¯ on several Darknet forums. ¡°This discovery piqued our interest, as it was extraordinary, even by dark net standards,¡± the researchers claim. The researchers point out that the threat actor was ¡°relatively easy to follow¡± once spotted.
After ¡°an impressive learning curve¡± starting in early 2017, Triangulum debuted a product he developed on his own, on the dark net for the very first time on June 10, 2017.
The product was a mobile remote administration tool (RAT) targeted to hijack Android devices. The product was able to exfiltrate sensitive data to a C&C server, and even gave the hacker the ability to destroy local data, to the extent of deleting the entire OS.
Subsequently, Triangulum came up with other such cyberthreat products and was helped by another threat actor HexaGoN Dev for marketing of these products. The ¡°crown jewel¡± of the duo has now been found to be Rogue.
Rogue Malware
Researchers from CPR found two main components inside the Rogue package. Both of these did not initially belong to Triangulum. One of these is DarkShades malware, while the other one is Hawkshaw.
Rogue initially asks the smartphone user for several permissions to work. It will repeatedly do so even if all of the required permissions are not granted at first. Once it gains all of the required permissions, it hides its icon as a camouflage defense.
Rogue subsequently registers itself as a device administrator. Any attempt to revoke the admin permission shows an onscreen message - ¡°Are you sure to wipe all the data??¡±
Once in action, Rogue uses Google¡¯s Android accessibility service for logging and documenting the victim¡¯s actions. It then uploads the collected data to the cloud C&C server. It can detect every notification that pops up on the infected device. In addition, it is able to maintain a ¡°Block List¡± for phone numbers, dropping the calls from these numbers at will.
It can even ¡°record each and every call, incoming or outgoing,¡± first locally, and eventually leaking it to the Firebase Cloud Store. Other remote actions that Rogue can perform include accessing location, messages, images, camera, contacts, record screen, audio, login information and much more.
The report warns that the malware is still actively on the spread on the dark web. It highlights that just like Triangulum, there are other threat perpetrators working to beat the defenses put in place by technology service providers and that it is important to be on constant vigilance against the same.