Researchers have discovered that a commercial Windows-based spy program now comes equipped with capabilities for spying on Android devices as well.
GimmeRAT, a secondary component of Win-Spy, was spotted during an investigation into a targeted attack against a financial institution in the United States. Win-Spy is generally deployed against home PC users for remote monitoring and administration, but has also popped up in two separate targeted attacks.
“The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller,” said researchers at security company FireEye who discovered GimmeRAT. “The Windows-based controller is simplistic and requires physical access to the device.”
Remote access Trojans for Android are nothing new; Dendroid and AndroRAT are two that have been in circulation for some time. But this is the first time that a multiplatform Windows RAT featuring Android capabilities has been discovered.
“It’s more common a tool like this that is publicly available might be used,” said FireEye researcher Hitesh Dharmdasani. “Someone might want to use this tool to [avoid] getting into someone else’s radar. You might look at it as a publicly available tool and not think it’s malicious. The intent is what makes it malicious.”
FireEye said it also detected Win-Spy used in another targeted attack campaign where WinSpy was embedded in macro documents to kick off a spam campaign.
Win-Spy Software Pro v16 is the latest version and includes the new Android monitoring capabilities. The tool’s website promises users to be up and spying within five minutes and that the software package allows users to monitor local and remote PCs as well as Android mobile devices. Using Win-Spy, you can monitor email and FTP transfers, record keystrokes, monitor webcam and microphone activity and more.
Dharmdasani said FireEye had no visibility into the effectiveness of the respective campaigns, where they originated and would not say whether the bank was a customer or how it detected the attacks.
In a blog post on the attacks, FireEye said the command and control infrastructure used in the attack on the financial institution was owned by the WinSpy author who provides use of his servers for C&C and storage of exfiltrated data.
“This feature allowing shared command-and-control infrastructure advertently or inadvertently provides another level of anonymity and deniability for the attacker,” the researchers said.
Both attacks started with phishing campaigns; the financial was targeted with an infected attachment posing as a pay slip acting as a decoy while the RAT installed in the background. The second attack posed as Western Union and other money transfer-themed Excel documents.
Win-Spy supports, in addition to monitoring and data exfiltration, connectivity checks and transfer of victim and system information to the remote server. An attacker can also use this to open a backdoor for remote commands, upload and download of more files and the execution of remote commands.
The new Android components also facilitate surveillance; there are three different apps that are part of the Android package.
“One of the applications requires commandeering via a windows controller and requires physical access to the device while the other two applications can be deployed in a client-server model and allow remote access through a second Android device,” FireEye said.
One component, GlobalService.apk, is used primarily for screen capture and sending screenshots to a remote server. A second component, GlobalNativeService, listens on a local socket for commands from the .apk file. There are also two remote controllers that work in concert to track a device’s location via GPS.
“These attacks and tools reaffirm that we live in an age of digital surveillance and intellectual property theft. Off-the-shelf RATs have continued to proliferate over the years and attackers have continued to increasingly use these tools,” the researchers said. “With the widespread adoption of mobile platforms such as Android, a new market continues to emerge with the demand for RATs to support these platforms.”