Execution, Analysis and Detection of Android RATs Traffic

by Kamila Babayeva

This research is currently in progress.

Screen+Shot+2021-03-30+at+15.59.09.jpg

Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). A RAT is a type of malware that allows the attacker (client) to gain control of the target’s device (server) to remotely control it. RATs are one of the most important threats nowadays since they are used as part of most attacks, from APTs to Ransomware. It is not an easy task to detect RATs in the network traffic, especially when it comes to Android RATs in phones. Why? The main problem is that there are no easy ways to look at the network traffic on our mobile devices. Our phones are much harder to protect than our computers. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. Even in cases where there are external network traffic analyzers, there are no good RAT detectors.

In this research we dive into this problem of detecting RATs in phones by:

  1. Creating an Android RATs’ dataset of real infected phones.

  2. Analyzing RATs' network traffic behaviors.

  3. Proposing new detections model.

  4. Implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.

1. Android Mischief Dataset

The Android Mischief Dataset is a dataset of network traffic from mobile phones infected with Android RATs. Its goal is to offer the community a dataset to learn and analyze the network behavior of RATs, in order to propose new detections to protect our devices. The Android Mischief Dataset was done in the Civilsphere Project at the Stratosphere Laboratory, Czech Technical University in Prague.

Execution Methodology

To create this dataset, we followed a methodology for each of the RATs:

  1. Installation
    This step consists of searching for the code of the RAT on the Internet, downloading it, installing an appropriate virtual machine for execution of the RAT’s controller, including all the library requirements on the virtual machine (e.g .NET Framework, JRE), and finally preparing the physical phone or phone virtual emulator as a victim to infect.

  2. Execution
    In this step we execute the downloaded RAT in these steps. First, use the Builder app in the Windows VM to create and build a new APK file. Second, start the RAT Controller in the Windows VM so it is ready to receive victims. Third, send the APK to the phone

  3. Traffic Capture
    When performing actions in the controller and the server, we capture the network traffic using our own VPN server, or in case of Android virtual emulator, we can use the computer network interface.

  4. Dataset Logging
    When performing actions in the client and the server, we also write a log file of the performed actions and take screenshots for each action in the Controller and the phone. As a result, each RAT in the dataset includes an APK file, a log file, screenshots files, a pcap file and a README.md.

If you are using this dataset for your research, please reference it as “Stratosphere Laboratory. Android Mischief Dataset v1. November 18th. Kamila Babayeva. https://www.stratosphereips.org/android-mischief-dataset”

SELECTED RATS

The dataset currently includes the following RATs:

  • RAT01 - AndroidTester v.6.4.6

  • RAT02 - DroidJack v4.4

  • RAT03 - HawkShaw

  • RAT04 - SpyMax v2.0

  • RAT05 - AndroRat

  • RAT07 - AhMyth

2. Analysis of RATs' network traffic behaviors

A technical deep dive into each RAT of the above mentioned dataset was performed to understand the behavior of the malicious software in order to identify and develop possible ways to detect them.

Rendered background image sent from the phone to the controller.

Traffic Analysis Deep Dive of RAT01: AndroidTester v.6.4.6

In this blog we analyze the network traffic from a phone infected with the Android Tester v.6.4.6 RAT. We executed the RAT in our own environment and we executed several actions. We were able to understand and decode its communication to extract files transferred from the RAT. It was also clear that the RAT has some distinctive features such as long duration of connection, heartbeat or uncommon ports. To summarize:

  • The phone connects directly to the IP address and port specified in APK.

  • The connection between the phone and the controller is long, i.e. more than 30 minutes.

  • Packets sent from the phone have the format {data length}{delimiter}{gzip compressed data}.

  • Packets sent from the controller have a format {data length}{delimiter}{data in plain text}.

  • There is a heartbeat between the controller and the phone.

Network periodicity observed in the network traffic

Traffic Analysis Deep Dive of RAT02: DroidJack v4.4

In this blog we analyze the network traffic from a phone infected with DroidJack v4.4 RAT. We were able to decode its connection and found the distinctive features as long duration or heartbeat. The DroidJack v4.4 RAT does not seem to be complex in its communication protocol and it is not sophisticated in its work. To summarize:

  • The phone connects directly to the IP address and ports specified in APK (default port and custom port).

  • Some connections over port 1337/TCP between the phone and the controller are long, i.e. more than 30 minutes.

  • There is a heartbeat between the controller and the phone over 1337/TCP.

  • Packets sent from the phone and the C&C over port 1337/TCP have a form of {00 00 00}{data length}{delimiter}{data in plain text}.

  • A new connection over 1334/TCP is established when a new command is received from the C&C.

  • The phone sends UDP packets to the C&C every 20 seconds.

  • Packets sent from the phone to the C&C over 1334/TCP and 1337/UDP are in plain text.

The interface of the HawkShaw C&C software.

Traffic Analysis Deep Dive of RAT03: HawkShaw

In this blog we have analyzed the network traffic from a phone infected with the HawkShaw RAT that uses Firebase platform to operate and control devices. All the retrieved data from the devices is stored in the Firebase database to which the creator of the HawkShaw RAT probably has access. We were not able to decode its connection due to Firebase secure connection. The HawkShaw RAT seems to be complex in its communication protocol, and it is sophisticated in its work. To summarize:

  • The RAT is hosted on the cloud with the use of Firebase platform.

  • Firebase provides an encrypted connection between the HawkShaw online service and the victim.

  • The targeted device connects to api.ipify.org and api6.ipify.org to retrieve and send its IPv4 and IPv6 addresses.

  • There is no heartbeat in the communication between the C&C and the phone.

  • There are no simultaneous connections established to the C&C.

  • There are a lot of connections to the Firebase platform, but of a very small size.

The command ‘File Voyager’ in DroidJack v4.4 C&C software.

Traffic Analysis Deep Dive of RAT04: SpyMax v2.0

In this blog we analyze the network traffic from a phone infected with SpyMAX RAT. We were able to decode its connection and found the distinctive features. SpyMAX RAT has a complex structure compared to other RATs. To summarize:

  • The phone connects directly to the IP address and ports specified in APK (default port and custom port).

  • The main APK is a dropper that installs small APKs that aim to control the phone’s applications, file system, microphone, terminal, calls, sms, contacts and information.

  • Some connections over port 8000/TCP between the phone and the controller are long, i.e. more than 90 minutes.

  • There is a heartbeat between the controller and the phone over 8000/TCP.

  • Packets sent from the phone and the C&C over port 8000/TCP have a form of {data length}{gzip magic number}{compressed data}.

  • A new connection over 8000/TCP but with a different phone source port is established when a new command from C&C that requires an exchange large amount of data is received.

  • The phone sends ICMP messages to the C&C every 45 seconds.

Packet sent from the phone as an answer to the C&C command ‘get Preferences’. The packet data and its structure is shown.

Traffic Analysis Deep Dive of RAT05: AndroRAT

In this blog we analyze the network traffic from a phone infected with AndroRAT. We were able to decode its connection. The AndroRAT does not seem to be complex in its communication protocol and it is not sophisticated in its work. To summarize:

  • The phone connects directly to the IP address and ports specified in APK (default port and custom port).

  • There is only one long connection, i.e. more than 40 minutes, between the phone and the controller over the port 1337/TCP.

  • There is no heartbeat between the controller and the phone.

  • The data is sent in the plain text.

  • The C&C uses mapping to present the C&C command as a single character.

  • Packets sent from the phone have a structure of {byteTotalLength}{byteLocalLength}{byteMoreF}{bytePointeurData}{byteChannel}{data}

  • Packets sent from the C&C have a structure of {byteTotalLength}{byteLocalLength}{byteMoreF}{bytePointeurData}{byteChannel}{C&C command}{targetChannel}{arguments}.

The interface of the Saefko C&C software.

Traffic Analysis Deep Dive of RAT06: Saefko

In this blog post we have analyzed the network traffic from a phone infected with the Saefko Attack Systems RAT that uses 3 different methods to operate and control devices. All the retrieved data from the devices was stored in a database stored in the 000webhost.com hosting provider. We were not able to decode the secure connection to the database, but we have successfully decoded the connection to the IRC servers, HTTP and TCP connections. The Saefko RAT seems to be complex in its communication protocol, but it is still not sophisticated in its work. To summarize:

  • The RAT is capable of controlling the targeted phone over IRC servers, HTTP request, and TCP connection.

  • The RAT’s database is hosted on the 000webhost.com web hosting service. And is up to the user to install it.

  • The connection from the infected device to the database in the 000webhost.com hosting is encrypted.

  • The packets sent from the controller and the phone over IRC servers follow the structure: ‘SASENCODE’+base64_encode(data + ‘T_T’+timestamp)

  • The packets sent from the controller and the phone over TCP follow the structure: base64_encode(data in JSON format)

  • The phone connects to the website ipinfo.io to retrieve and send its location to the C&C.

  • There is no heartbeat in the TCP communication between the C&C and the phone.

  • There is a heartbeat between the IRC server and the victim, but it is a normal behaviour for this protocol.

  • The connections with the C&C over TCP were closed with RSTR and S1 states.

  • There are 34 connections established to different IRC servers.

  • There are 21 connections established to the database in the 000webhost.com hosting with the server_name ‘experimentsas.000webhostapp.com’.

The interface of the AhMyth C&C software.

Traffic Analysis Deep Dive of RAT07: AhMyth

In this blog we have analyzed the network traffic from a phone infected with AhMyth RAT. We were able to decode its connection and found the distinctive features of WebSocket protocol and a  heartbeat. The AhMyth RAT seems to be complex in its communication protocol but it doesn’t seem to be sophisticated in its work. To summarize:

  • The phone connects directly to the IP address and ports specified in APK (default port and custom port).

  • The protocol used for the connection is switched from the HTTP to WebSocket.

  • There are several simultaneous connections established between the phone and the C&C over port 8000/TCP.

  • There is a heartbeat between the controller and the phone over port 8000/TCP. ‘Ping’ and ‘pong’ packets are sent every 25 seconds, according to the parameters setup in the beginning of the connection.

  • Packets sent from the C&C are in the plain text and JSON-encoded. 

  • Packets sent from the phone are in the plain text, JSON-encoded but masked by the WebSocket protocol. This effectively hides their content from human eyes unless decoded. 

  • The duration of the connection between the phone and the C&C is supposed to be long, but due to the RAT code being unstable, the connection breaks often, generating multiple short connections.

The interface of the Command-line C&C software.

The interface of the Command-line C&C software.

Traffic Analysis Deep Dive of RAT08: command-line androrat

In this blog we have analyzed the network traffic from a phone infected with a unique command line AndroRAT. Due to the RAT simple communication protocol, we were able to decode its connection. The command line androRAT does not seem to be complex in its communication, however, it is quite sophisticated in its work. It is not interrupting throughout the whole communication compared to other RATs in the dataset. To summarize:

  • The C&C sends the packets in plaintext without any structure.

  • The infected phone sends the packets in plaintext without any structure.

  • The communication between the C&C and the phone is done in one flow of long duration (approximately 16 minutes).

  • Even though the connection between the controller and the phone was closed, the phone tries to reconnect every 3 seconds.

  • There is no heartbeat in the traffic between the phone and the controller.