Android is commonly called a breeding ground for malware. Every day more than 8 thousand new virus samples are detected here. And these numbers are constantly growing.
But have you ever wondered how these malware work? Today we'll get to the bottom of this by exploring an Android app that can collect information about your device, its location, take photos, and record audio. And all this with remote control.
More on the topic: How viruses get into Google Play Market
Installing AhMyth RAT
The server part is very easy to install, especially since the author has made the program binaries freely available. But if you wish, you can compile it from source. Personally, I ran my tests on a machine running Windows 10.
For the utility to work, we need a Java virtual machine. We install it from the official Java website. Then you need to download the binaries of AhMyth itself. You can find them in the official project repository on GitHub, Assets tab. When downloading, it is better to disable the antivirus so that it does not suffer from the shock of what is happening.
conclusions
Android is a very friendly OS for third-party application developers. Therefore, you can create a Trojan here using the standard API. Moreover, using the same API, its icon can be hidden from the list of applications and made to work in the background, unnoticed by the user.
Keep in mind! Android 8, although it allows applications compiled for earlier versions of Android to run in the background, but displays a notification about this. On the other hand, how many smartphones have you seen running Android 8 in the wild?
That's all. Now you know how hackers create Trojans for Android, and we have already written more than once about how to protect yourself from them (use the site search).
More on the topic:
Creating an infected APK
To create an Android APK file, open the APK Builder tab. The appearance of the malicious mobile application designer is shown in the following illustration.
APK Builder Tab
This tool is very easy to use. In the Source IP window, we enter the IP address of the attacking machine (this address can then be easily calculated when examining the malware). In the Source Port field you can specify the port that will be reserved by the machine for listening for connections. The default port is 42474.
Methods of malware influence
Computer viruses include many malicious programs, but not all of them are capable of “reproduction”:
- Worms. They infect files on the computer; these can be any files, from .exe to boot sectors. Transmitted through chats, communication programs such as Skype, icq, and email.
- Trojan horses, or Trojans. They are deprived of the independent ability to spread: they end up on the victim’s computer thanks to their authors and third parties.
- Rootkit. An assembly of various software utilities, when penetrating a victim’s computer, gains superuser rights, we are talking about UNIX systems. It is a multifunctional tool for “covering tracks” in case of intrusion into a system using sniffers, scanners, keyloggers, and Trojan applications. Capable of infecting a device running the Microsoft Windows operating system. They capture tables of calls and their functions, methods of using drivers.
- Extortionists. Such malware prevents the user from logging into the device by forcing them to pay a ransom. Recent major ransomware events include WannaCry, Petya, Cerber, Cryptoblocker, and Locky. All of them demanded Bitcoin cryptocurrency for the return of access to the system.
- Keylogger. Monitors the entry of logins and passwords on the keyboard. It records all clicks and then sends a log of actions to a remote server, after which the attacker uses this data at his own discretion.
- Sniffers. Analyzes data from a network card, records logs by listening, connecting a sniffer when the channel is broken, branching a copy of traffic with a sniffer, as well as through the analysis of side electromagnetic radiation, attacks at the link or network level.
- Botnet or zombie network. Such a network consists of many computers forming one network and infected with malware to gain access to a hacker or other attacker.
- Exploits. This type of malware can be useful to pirates because exploits are caused by errors in the software development process. This is how the attacker gains access to the program, and then to the user’s system, if that’s what the hacker intended. They have a separate classification based on vulnerabilities: zero-day, DoS, spoofing or XXS.
WARNING
Remember that distributing viruses and malware is illegal and entails criminal liability.
All information is provided for informational purposes only. Neither the editors nor the author encourage the use of the acquired knowledge for practical purposes and are not responsible for any possible harm caused by the material. Without using the additional option Bind With Another Apk, you will generate a mobile application only with malicious code. And this is practically useless, since the only way to force a user to install such a program is through torture.
But there is a proven way to create malware, which is used by all advanced virus makers: find some APK on the Internet and glue it with malware. To do this, check the Bind With Another Apk checkbox, select the desired APK and specify the method for integrating the malware into your phone. There are two methods: when running an infected APK or when rebooting the phone after installing the RAT. The authors of the program recommend the second option.
All that remains is to click the Build button - by default, the infected file is saved to the C:\Users\\AhMyth\Output folder.
Continuation is available only to members
Option 1. Join the “Xakep.ru” community to read all materials on the site
Membership in the community during the specified period will give you access to ALL Hacker materials, allow you to download issues in PDF, disable advertising on the site and increase your personal cumulative discount! More details
Creation of a virus
To get a virus to study, you do not have to download it. A few seconds - and you may have a harmless virus for testing. Eicar antivirus test is a piece of text that any antivirus recognizes as a virus. It is used for testing security systems.
Copy this code - X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* and paste it into a text document. Then you need to save it to any executable file. However, almost any antivirus will see a virus even in a text document when you save it. You can check it on any computer and smartphone, and at the same time you will learn how the built-in protection of the operating system or your antivirus works.
The most suitable antivirus systems for Android
Why is it important to delete data from an Android smartphone if it is stolen?
To date, more than a hundred studies have been conducted that have attempted to identify antivirus programs that are not only effective, but also easy to use.
The most effective antiviruses for Android
Bitdefender Antivirus Free
The free service is a fairly accurate data verification system. To scan, simply download the application, go into it and press the “Scan” button. The program has a pleasant and accessible user interface, and if a virus is detected, the service will offer to remove it from the mobile device, after which it will be scanned again.
Avira is a nice data protection app
Avira is a program largely aimed at protecting personal data such as contacts, messages, passwords, etc.
Godless
The Godless Trojan is impressive not even for its, so to speak, functionality, but for its camouflage - for a long time its presence in applications was not recognized even by the vaunted anti-virus scanning system on Google Play. The result is a little predictable - the malware infected over 850 thousand smartphones around the world, and almost half of them belong to residents of India, which seems to hint at the origin of the Trojan.
If you download a flashlight from Google Play, you get an uninstallable virus with encryption and root rights
The functionality of the Trojan is slightly different from its many colleagues in 2016; only the “beginning” is new:
- A smartphone user downloads an application from Google Play , turns it on, and as a result, a Trojan is launched along with the application. Just don’t think anything bad about checking Google, because there is no malicious code in this “kit” - the malicious code is downloaded by the Trojan when it is first launched.
- To begin with, Godless obtains root rights on your smartphone , free of charge without SMS. Using approximately the same set of tools as in your Towelroot, for example. The Trojan carries out such operations when the screen is turned off.
- After this, the arrogant Trojan sends itself to the /system folder (from where it cannot be removed without flashing ) and encrypts itself using an AES key.
- With a full set of access rights, Godless begins to gradually steal users’ personal data from their smartphone and install third-party applications. In its initial versions, the Trojan, by the way, hid the standard Google Play from the user’s eyes and replaced it with a “parody” through which it stole the name and password from the account.
Among the applications that Godless was most often “attached” to were numerous “flashlights” and clones of famous Android games.
How to become an Android “hacker”?
Yes, there’s no need to be too clever here. We're just going step by step. 1. Install java for developers from the off-site. (download) 2. Download android studio (download) Download the full recommended one. Now we will not go into all these details. Do we need it? 3. We stock up on bagels and beer. After all, now you have to install and configure all this. 4. We mostly poke further, without thinking about what is written there. There's no need to worry about it
