Skip to content

New “AndroRAT” Malware Threatening Android Devices Identified

Cybersecurity experts have reported the discovery of a new version of the malicious software targeting the Android operating system—AndroRAT. This malware is designed to compromise users’ personal data by stealing pattern locks, PIN codes, and passwords.

Although AndroRAT was initially introduced in 2012 as an open-source university project, it has since evolved into a dangerous tool used by attackers. The most alarming aspect is that this malware can bypass security systems on devices running up to Android 15.

Cybersecurity researchers have highlighted several sophisticated features of AndroRAT, indicating an increased threat level. In particular, the malware exploits vulnerabilities like CVE-2015-1805, which was originally identified in the Linux kernel. Although this vulnerability was patched in 2016, it remains unpatched on millions of Android devices that have not received updates.

AndroRAT infiltrates devices through a multi-stage infection process:

1️⃣ Malicious App Installation: Initially, it is distributed as a fake app called “TrashCleaner” through third-party app stores and phishing campaigns.

2️⃣ Second-Stage Component: Once installed, the malware disguises itself as a calculator app and activates additional malicious payloads.

3️⃣ System Exploitation: AndroRAT exploits system_server permissions to inject malicious code into the com.android.settings process.

Key Threats Posed by AndroRAT

🔹 Stealing Pattern Locks and Passwords:

  • AndroRAT targets /data/system/gesture.key and locksettings.db3 files, which store password hashes encrypted with the SHA-1 algorithm.
  • Once accessed, the malware extracts these credentials using ADB commands and cracks them using brute-force or dictionary attacks with tools like LockKnife.

🔹 Bypassing Screen Interaction:

  • The malware executes input tap and input swipe commands, enabling it to automatically enter PINs or pattern locks and unlock the device.

🔹 Memory Injection:

  • AndroRAT exploits ptrace() vulnerabilities in Android to inject its code into system processes such as com.google.android.gms, allowing it to evade detection by Google Play Protect.

🔹 Stealing Sensitive Data:

  • The malware records keystrokes via /dev/input/event*, enabling it to capture typed data, including messages from encrypted messengers.

🔹 Maintaining Connection to C2 Servers:

  • AndroRAT uses Domain Generation Algorithm (DGA) based on IMEI numbers to communicate with alternative command-and-control servers through DNS.

📌 Enterprises and users should take the following precautions:

🔸 Block IP Ranges:

  • Block 185.130.104.[0-255] and 194.87.92.[0-255] (associated with AndroRAT command-and-control servers).

🔸 Enforce SELinux Security Policies:

  • Restrict access to gesture.key from untrusted applications.

🔸 Monitor for Suspicious Activity:

  • Watch for unusual queries to the locksettings.db database, as this could indicate credential dumping attacks.

🔸 Memory Analysis:

  • Use tools like Volatility to examine suspicious com.android.server.locksettings processes.

🔸 Check APK Permissions:

  • Review apps requesting the REQUEST_COMPANION_START_FOREGROUND_SERVICES_FROM_BACKGROUND permission (a potential indicator of AndroRAT infection).

🔴 Although AndroRAT has existed since 2012, in 2025 it has evolved into a more sophisticated and dangerous threat to Android users.

🔴 The latest version incorporates code from malware like Dendroid and OmniRAT, and it is suspected to be used by cybercriminals from Eastern Europe and Southeast Asia.

🔴 With Android 15 introducing the Gatekeeper security system, attackers are now distributing AndroRAT via seemingly legitimate apps like “Trash Cleaner” to deceive users.

🔴 Since January 2025, this malware has reportedly infected over 12,000 devices.

📢 Advice: Users should only download apps from the official Google Play Store, install security updates regularly, and enable two-factor authentication for enhanced protection.

🛡 Cybersecurity is an ongoing battle. Strengthen your device’s security by following these precautions and stay protected from malware! 🔐