ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool SandroRAT

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: SandroRAT

NamesSandroRAT
CategoryMalware
TypeBackdoor, Info stealer, Exfiltration
Description(McAfee) Just as any other Android RAT (such as AndroRAT), the malware can remotely execute several commands to perform any of the following actions:

• Steal sensitive personal information such as contact list, SMS messages (inbox, outbox, and sent), call logs (incoming, outgoing, and missed calls), browser history (title, link, date), bookmarks and GPS location (latitude and longitude).
• Intercept incoming calls and record those in a WAV file on the SD card to later leak the file.
• Update itself (or install additional malware) by downloading and prompting the user to install the file update.apk.
• Intercept, block, and steal incoming SMS messages.
• Send MMS messages with parameters (phone number and text) provided by the control server.
• Insert and delete SMS messages and contacts.
• Record surrounding sound and store it in an adaptive multi-rate file on the SD card to later send to a remote server.
• Open the dialer with a number provided by the attacker or execute USSD codes.
• Display Toast (pop-up) messages on the infected device.

A novel functionality of this threat is its ability to access the encrypted Whatsapp chats (available in the path /WhatsApp/Databases/msgstore.db.crypt5 on the SD card) and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file waddb.sr
Information<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sandrorat-android-rat-targeting-polish-banking-users-via-e-mail-phishing/>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:SandroRAT>

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

Previous: Sandboxie
Next: Sasfis

All groups using tool SandroRAT

ChangedNameCountryObserved

APT groups

 Syrian Electronic Army (SEA), Deadeye JackalSyria2011-May 2018X

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key