Rana Android Malware Updates Allow WhatsApp, Telegram IM Snooping

The developers behind the Android malware have a new variant that spies on instant messages in WhatsApp, Telegram, Skype and more.

Researchers have discovered new samples of a previously discovered Android malware, which is believed to be linked to the APT39 Iranian cyberespionage threat group. The new variant comes with new surveillance capabilities – including the ability to snoop on victims’ Skype, Instagram and WhatsApp instant messages.

According to U.S. feds, the developers of this malware are allegedly operating under the guise of a front company, Rana Intelligence Computing Co., which has been linked to APT39 (also known as Chafer, Cadelspy, Remexi, and ITG07), as well as Iran’s Ministry of Intelligence and Security (MOIS). On Sept. 17, the U.S. Department of the Treasury’s Office of Foreign Assets Control placed sanctions on APT39, which has carried out various malware campaigns since 2014, targeting Iranian dissidents, journalists and international companies in the travel sector.

In tandem with the sanctions, the FBI released a public threat analysis report that investigated several tools used by Rana Corp. Researchers recently conducted further analysis of one of these malware samples (com.android.providers.optimizer) and found that its latest variant showcases several new commands that point to the threat actors sharpening their surveillance capabilities.

“It’s important to remember that there are many reasons that cause threat groups to turn their focus to specific targets,” said researchers with ReversingLabs in a Monday analysis. “Whether it’s political dissidents, opposition in countries under authoritarian regimes, or corporations the threat actors goal is to make gains monetarily or politically.”

When asked about the initial infection point is for this malware, a ReversingLabs researcher told Threatpost: “FBI did not disclose that information in the original report. We currently don’t have sufficient telemetry to connect that particular set of files to their source.”

Instant Message Snooping

While previously, the malware had information stealing and remote access functionality, researchers found that the variant takes it a step further by utilizing mobile accessibility services in order to target victims’ instant messaging applications. Android’s Accessibility Service, which has previously been leveraged by cybercriminals in Android attacks, assists users with disabilities. They run in the background and receive callbacks by the system when “AccessibilityEvents” run. Bad actors have leveraged these services to gain the permissions necessary to snoop in on victims’ phones.

This particular malware uses accessibility services in order to monitor a full list of messages on communications applications, including the Android Instagram app, Skype, Telegram, Viber and WhatsApp.

“Looking at the monitored IM applications additionally proves that this malware is probably used for the surveillance of Iranian citizens,” explained researchers. “One of the monitored IM applications is a package named ‘org.ir.talaeii,’ which is described as ‘an unofficial Telegram client developed in Iran.'”

Other Commands

The malware also now includes various commands, such as the ability to receive commands from the command and control (C2) server that are sent by SMS: “In that case, the malware intercepts the received SMS and, if it starts with a predefined command header, the malware aborts further propagation of the SMS_RECEIVED Intent,” said researchers. “This prevents the received SMS from ending up in the default SMS application.”

The malware can also take photos and record audio on the victims’ phones – as well as automatically answer calls from specific phone numbers.

“The malware also enables scheduling a device boot at some specific moment, ensuring malware activation even when someone turns off the phone,” said researchers.

Another less-common Android command that the malware sports is the ability to add a custom Wi-Fi access point and to force the device to connect to it. Researchers believe this feature was introduced to avoid possible detection due to unusual data traffic usage on the target’s mobile account.

Android users continue to be hit by various mobile threats – including “undeletable” adware and Android banking trojans. Mobile phone users can avoid such mobile malware by knowing which apps have what permissions, and making sure that enterprises have a solid mobile management policy in place.

“What we can take away from this analysis is the importance of maintaining control over your device to reduce the risk of infection,” they said. “On an individual level this includes knowing which apps have access to microphones and sensitive information. If you are part of a government agency, or even a private corporation, it means having a solid BYOD policy, that includes application control, continually auditing the system setting, and malware scanning.”

Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back. 

Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.

Suggested articles