Another day, another malware threat against Android users – This time, it is LodaRAT targeting users in Bangladesh.
The IT security researchers at Cisco Talos identified an already known RAT that was previously threatened Windows systems can now target Android platforms.
Dubbed LodaRAT, the trojan was equipped with credential-stealing capabilities earlier, but now it is eyeing Android users to enhance the attackers’ espionage activities further.
According to Cisco Talos researchers, the latest iteration of LodaRAT comes with “improved sound recording capabilities.”
Who Has Developed LodaRAT?
Research reveals that a group called Kasablanca is behind this malware. The developers have reportedly deployed the latest version of LodaRAT in a currently active hybrid campaign that’s mainly targeting users in Bangladesh.
What is LodaRAT?
Proofpoint first discovered LodaRAT in 2017. LodaRAT is an AutoIt malware delivered through phishing emails. It can run a wide range of commands, mainly designed to record audio/video and steal sensitive data. The recent variant of LodaRat can steal cookies and passwords from the web browser.
What’s the difference between LodaRAT Windows and Android?
According to a blog post published by researchers, the Android version, dubbed Loda4Android, and Loda4Windows are somewhat similar since both come with an extensive suite of data-gathering features. Both malware aim to perform stalking activities.
The malware uses the same C&C infrastructure as well. A unique aspect of the Android version is that it avoids using techniques synonymous with other banking trojans, such as recording on-screen activities by abusing Accessibility APIs.
The new version can capture images/screenshots, read and intercept SMS messages, access call logs, and call specific numbers. The Windows version can enable remote access to the targeted device through RDP and has a Sound command that exploits the BASS audio library to capture audio from the microphone.
The recent surge of attacks utilizing the new iteration of LodaRAT surfaced in October 2020. The attackers targeted carrier-grade voice-over-IP software vendors and banks.
Researchers believe that the malware author could be based in Morocco and has used a wide range of social engineering tricks from emails embedded with infected RTF documents that exploit the CVE-2017-11882 vulnerability in MS Office to typo squatted domains.
How to protect yourself against LodaRAT?
If you are an Android user, keep an eye on such threats since Android is one of the most vulnerable and targeted smartphone operating systems. Watch out for malicious apps on the Play Store spreading malware and conducting phishing scams.
Moreover, don’t open anonymous emails or click on files attached to them. You should also use a reliable anti-virus for Android devices and keep your smartphone updated to the latest version.