Indian researchers have flagged a new sophisticated malware campaign targeting users across multiple industries and devices. Called DogeRAT (Remote Access Trojan), the cyber hackers are circulating the malware by distributing fake apps like YouTube, Netflix, Instagram, Opera Mini, and others. This enables hackers to steal personal information and compromise the device’s security. According to contextual AI company CloudSEK, this malware primarily targets users in the banking, financial services, insurance (BFSI), e-commerce, and entertainment sectors.
The hackers use the open-source Android RAT called DogeRAT to gain unauthorized access to the victim’s device. Once installed, the malware can track a victim’s location, record their microphone and listen to conversations, read call records, view photos, media files, contacts, and more. It can also download and execute files, change device settings, and display connectivity status. It can even remotely take photos through the front and rear cameras of the device.
When a user downloads the malicious app, it will appear legitimate with a custom icon and name on the play store. However, once downloaded, the user will be prompted to grant it various permissions, including root privileges and sending data to an external server. The hackers then use this data to target victims with targeted ads and spam messages.
The ad campaigns are spread through social media and messaging apps and appear to be run by several actors. This campaign was observed by the cybersecurity firm Mandiant and other organizations. It is a clear sign that scammers are no longer limited to creating phishing websites but have started distributing modified RATs or repurposing malicious apps for executing scam campaigns that are low-cost and easy to set up yet yield high returns.
According to a report by the contextual AI company CloudSEK, the malware is spreading through links shared in direct messages and on social media posts. This enables the attackers to get the victim’s IP address and other details, such as their operating system, allowing them to deliver tailored ads and messages.
The ad campaigns are linked to the malware distribution platform known as Nanocore. This remote access trojan (RAT) platform offers its malware-as-a-service to other threat actors and hackers. The RAT can steal private information and conduct other malicious activities, such as denial of service attacks, botnet functions, and spying on the victims’ online activity. The malware also can steal passwords and other sensitive data from a victim’s device.