Android Malware Mimic Popular Apps

DogeRAT (Remote Access Trojan) is an open-source Android malware that targets a sizable customer base from various businesses, particularly banking, and entertainment. 

CloudSEK’s TRIAD team detected it. Although this campaign primarily targeted consumers in India, it aims to be accessible to everyone.


Specifics of the DogeRAT Android Malware

The malware is being disseminated disguised as a legitimate app through social networking and messaging apps. 

The malware can take significant information from the victim’s device after it has been installed, including contacts, messages, and banking credentials. 

Particularly, the malware can also be used to hijack the victim’s device and carry out harmful tasks like sending spam messages, making unauthorized purchases, editing files, reading call logs, and even snapping pictures with the infected device’s front- and rear-facing cameras.

The impersonated apps include Opera Mini – a fast web browser, Android VulnScan, YOUTUBE PREMIUM, Netflix Premium, ChatGPT, Lite 1 [Facebook], and Instagram Pro.

It was discovered that the malware’s creator had marketed DogeRAT in two Telegram channels.

The author of the RAT has provided a premium version of DogeRAT, which includes additional features such as taking screenshots, stealing images from the gallery, acting as a keylogger, stealing information from the clipboard, and having a new file manager in addition to greater persistence and seamless bot connections with the infected device.

Telegram advertisement offering the premium version of DogeRAT

The free version of DogeRAT, screenshots, and video lessons demonstrating its features, has been made available on GitHub in an additional effort to make it more approachable for other criminal actors.

Capabilities of the DogeRAT

“This Java-based android RAT uses a very simple server-side code written in NodeJs to interact with Telegram Bot and an infected device through a web socket,” researchers explain.

“In this scenario, the Telegram Bot is working as the Command and Control panel for the threat actor who creates the setup and deploys the DogeRAT.”

Code snippet used to interact with the Telegram Bot

Reports say the trojan initially gains access to many rights, such as call log access, audio recording, reading of SMS messages, media, images, etc.

Permissions requested by the Trojan

Hence, researchers say this campaign serves as a “stark reminder” of the financial incentives driving scammers to improve their methods continuously.

To protect your digital assets, one must be vigilant and take protective precautions.

“They are not just limited to creating phishing websites, but also distributing modified RATs or repurposing malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns,” researchers.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.