In one of his regular sweeps for new malicious software targeting Android phones, security researcher Vitor Ventura came across what looked like a run-of-the mill hacking tool.
Like so many pieces of code before it, the malware was capable of stealing information from a mobile device and sending it back to a command and control server. But when Ventura dug deeper, he found that the remote access trojan (or RAT, as the tool is commonly known) was capable of surreptitiously recording conversations and taking screenshots. Spying, rather than immediately making money off of the illicit access, was the apparent goal.
On Tuesday, Ventura and his colleagues at Talos, Cisco’s threat intelligence unit, publicly connected the new Android tool to the malware developers behind a multi-year effort to spy on people from South America to Bangladesh.
Much about the people behind the hacking campaign is a mystery. Ventura and his colleagues have found no evidence linking the tool to a state actor, nor have they seen the hackers marketing any stolen data in criminal forums. But the ongoing investigation hints at a bustling underground market for spying kits that are difficult to trace.
Multiple new mercenary groups that sell their services to the highest bidder have surfaced in recent months, and the Talos team has considered whether this could be another such “hack-for-hire” outfit. Another possibility, Ventura said, is the malware developers are treating their tool as a bulk commodity that can be marketed to clients indiscriminately — something akin to the “loggers” that record keystrokes and are a staple of the criminal underworld.
The attackers “are way more into spying and getting all the information that they can out of people rather than direct financial gain by just harvesting credentials,” Ventura said. Perhaps the hackers are conducting espionage and selling the information they gather on the black market, he mused, which would be “consistent with this kind of broad targeting.”
For now, though, evidence remains scant to support either theory. What’s clear is that the so-called Loda RAT is capable of targeting more people than ever before.
Whereas a 2019 campaign using the tool to spy on people in Argentina, Brazil and the U.S., the latest hacking campaign, which began in October, has targeted customers of banks and a telecom carrier in Bangladesh. The attackers previously focused on Windows systems, but the new Android tool allows them to vastly expand their potential surveillance net.
The shift of Loda RAT’s targeting to Bangladesh also is an enigma. But the South Asian nation is home to some 164 million people, many of whom use Android phones.
“This gives them a lot more flexibility in the victims that they target,” Ventura said. “Our entire life is on a mobile device.”
The researchers say some clues point to the Android malware developer being based in Morocco. By going public with their findings, they are hoping to flush out more details about the attackers’ motivations and infrastructure.
Ventura suspects this isn’t the last he’s heard from the Loda RAT developers.
“They are actively developing” their code, he said, adding that additional hacking campaigns employing the RAT could be in the offing.