This article mainly introduces the use of several mainstream Android mobile phone remote control Trojan kits in the industry. This attack belongs to C&C, also known as command and control. When I was working on the detection algorithm model in this area, the primary coverage scenarios were windows and Linux systems. With the advent of the 5G era, the usage scenarios of mobile phones and car devices will also increase significantly, and security guarantees must be guaranteed. Especially important.
To intervene in the main topic, we first introduce the names of these five virus families: DroidJack, Spynote, AndroRat, AhMyth, and FatRat (interested students can download it by themselves or contact the editor to share). The C&C terminals of the first four remote control Trojans are Windows platforms, meaning that the attackers use the Windows operating system. FatRat is built on the Linux operating system. Kali is not installed by default and needs to be installed manually. The most mainstream here should be Spynote, which has powerful functions and stable performance, and the rest can also be used like regular attacks. In simulating the episode, we use the android simulator as the controlling terminal, which may perform differently from the traditional physical machine. Still, according to the characteristic analysis of the attack behavior of C&C, the generated attack traffic will not be distorted.
First, introduce the use of FatRat. After entering fatrat in the shell, as shown below:
We choose option 1, as shown in the figure:
Here we are to create an android remote control Trojan, so we choose 3. Then we need to output our own (the hacker’s IP is generally the public network IP, here is temporarily set to the remote network IP for the convenience of the demonstration) IP and the listening port. Then the created virus file is named FatRat.apk.
Next option 3: TCP bounces the shell’s payload.
After entering y, our remote control Trojan file is generated, and the file format is apk, which is the file format in android mobile phones.
Next step: Install malicious apk file in android emulator. The picture shows the mobile phone interface after installing five remote control Trojans, in which the app name of the FatRat.apk file after the installation is MainActivity.
Next, we will start the official attack. We open Wireshark to monitor the attack traffic and then begin Metasploit on the primary control side (hacker) (if the watch officer does not know much about Metasploit, you can read this article https:/ /paper.seebug.org/29/)
Next, we enable and monitor c&c attacks:
When the attacker clicks to start the malicious Trojan, the c&c attack session is successfully established:
After entering help, you can view some executable commands of the attack.
Start a penetration attack. The attacker can get the shell to traverse the file information of the victim. Upload other malicious files to the victim’s mobile phone. Or download essential information files (such as call records, contacts, and phonebooks) from the victim’s mobile phone. , SMS records, pictures, etc.):
The attack traffic part about FatRat is shown as follows:
It can be seen that some information is still encrypted. And traditional feature detection may not be as effective as machine learning algorithms. The relevant introduction of FatRat is here. Let’s take a look at how Spynote under Windows is used.
The remote control tool under windows is easier to operate, so the frequency of use is relatively high. The attack method is similar to FatRat. Also, first set the listening IP and port on the attack side. And then click build to generate a virus file.
After the attacker starts the malicious file. There will be an automatic online prompt on the attack side. And various attack methods can be queried by email:
For example, the upload and download of files can be operated through the FileManager control item:
Similarly, hackers can monitor the victim’s call recordings, shell, mobile phone software information, etc.
The traffic of remote control attacks using Spynote is shown in the following figure:
Finally, the usage of the remaining three remote control Trojans is the same as that of Spynote. But the content of the traffic generated will be different. The model I trained using the machine learning algorithm can successfully detect the traffic of the above five remote control attacks.
