Quick Heal Labs has detected a new threat that is out on the hunt for Android users. We came across an open-source script that adds a backdoor (a secret method hackers use to gain unauthorized access to a device) to any APK (Android application package).
The home page of the backdoor-apk looks like this (fig 1).
Although the author has mentioned that this script is intended for educational purposes only, cybercriminals are using it to fuel their evil plans. And our analysis confirms so.
To read the technical analysis on this malware, download the PDF given below.
No other antivirus software has been able to detect this backdoor. Below is the result from virustotal:
What does the backdoor do?
The package with 5 classes is just a wrapper which downloads the payload from Metasploit framework. Metasploit is a framework designed for penetration testing but in this case, is being used for a malicious intent. When the payload is received by the backdoor, it gives complete access to the victim’s device to the attacker including:
- Starting any app
- Shutting down device
- Retrieving call logs, contacts, SMS, location, etc.
- Sending SMSs
- Recording audio from microphone
- Taking pictures from device’s camera
- Getting live video stream from device’s camera
- Accessing all the files stored on the device
- Changing wallpaper
- Accessing shell
This is not the only script attackers are using in their malicious intents. There are much more; some are open-source while some, closed source. As scripts like these are easily available, the number of threats are increasing and are expected to keeping doing so in the future. Android users are advised to install Quick Heal Mobile Security App that proactively detects and blocks this threat as ‘Android.MetaBack.A’.
Subject Matter Expert
– Gaurav Shinde (Threat Research and Response Team)