top of page
Search
Writer's pictureotw

Android Hacking, Part 4: A Compendium of Android Remote Administration Trojans (RATS)

Updated: Dec 28, 2022

Welcome back, my aspiring cyberwarriors!


In light of the recent revelations regarding Israel's NSO group and their cellphone malware known as Pegasus, I thought it would be good time to catalog some of the better-known Remote Access Trojans (RATs) available for the Android OS. This is not meant as an exhaustive list, but simply a list of some of the better known RATS. If you know of others not on this list, please email me at occupytheweb@protonmail.com.





I have tried to compile a list with each RATS name, source-code location (if open source) and key features.


Cerberus Banking



Cerberus is a banking RAT targeting the Android OS. First spotted in June 2019. It was embedded in Google Play apps. Developers tried to auction source code for $100,000 but when that failed, they released it for free to public. Developers claim that it uses no code from previous RATS making it harder to detect with AV.


  • Bots

  • Bank and CC Logs information

  • Mail logs

  • SMS, Call (+Forward), Contact, GPS, Audio

  • Monitoring all activity / logs

  • Push to turnoff Play Protected (Disable)

  • Download, Install, Remove Apps

  • Lock device

Pegasus


Developed by the Israeli cyberarms company, NSO group, and sold to government's around the world, Pegasus is among the most expensive and effective mobile spyware. Available for both the IPhone and Android, Pegasus enables a jailbreak on the device. It has been effectively used by the UAE to spy on Ahmed Mansoor in 2016, the Mexican drug cartels to spy on Mexican journalists, and Saudi Arabia to spy on Jamal Khashoggi, the Washington Post journalist, before killing and dismembering him in the Saudi embassy in Turkey.

  • Storage, Microphone, Location

  • Screenshot

  • Calendar

  • Instant Messaging

  • Contact & Call & SMS & Mail

  • Browser History

  • Device Setting

  • Skype

  • Telegram

  • Whatsapp


DroidJack


Available at https://droidjack.net/



  • Camera, Microphone, Location

  • Storage

  • SMS, CALL, Contact

  • Whatsapp Reader

  • Browser History

  • App Manager


AndroRAT



SpyNote



  • Bind app, Storage, Location

  • SMS, Call, Call logs, Contact, Camera

  • Listen live conversation through mic, record mic sound live.

  • Check browser history.

  • Check installed apps.

  • Get phone’s information (IMEI, WIFI MAC, PHONE CARRIER).

  • Fun Panel (Show messages, shake the phone etc)


  • Camera, Mircophone,

  • Storage, Location

  • Message, Call, Call logs, Contact


  • execute command

  • process lost

  • camera snap, stream, list, microphone

  • Add and remove app

  • Camera, Microphone, Storage

  • Call & SMS

  • Remote Device Controller


UnknownRAT



  • Storage access

  • Android Tools such, take photo, screenshot etc

  • Record audio


android_trojan / Android Trojan https://github.com/androidtrojan1/android_trojan

  • shell command, browser history, microphone, location, storage

  • add and remove app

  • call log, contact,sms dump,


OmniRAT

  • Fully Remote Access

  • File Manager, add and remove apps

  • App Widgets

  • Full System Information

  • Call & SMS


Android Voyage

  • Remote Android Screen

  • Screenshot, keylog, traffic monitor

  • Make as system application

  • Lock unlock, hide unhide app

  • Remove android password

  • Message Access

  • Bricks the device, Anti Antivirus

  • Self Destructive Mode

  • Password Grabbers

NetWire

  • camera

  • audio

  • keylogger

  • storage

  • download upload

  • location

  • etc

  • Contact

  • System

  • App

  • Storage

  • Call

  • Message

  • Shell

LokiDroid

  • SMS, Call, Call logs, Contact, Toast, Browser

  • Storage, Location, Microphone, Camera

  • Phone's Hardware and Software details

  • Sim details

  • Internet details and IP

  • offline commands for bots

  • Multiple commands for multiple bots

  • http RAT ( not required port forwarding)


KevDroid

  • Installed applications

  • Phone number

  • Phone Unique ID

  • Location (the application tries to switch on the GPS, 10s capture location)

  • Contact, SMS, Call logs, Call, Mails

  • Storage, Microphone


columbus-trojan https://github.com/project-columbus/trojan (cute trojan)

  • Image (front-facing camera)

  • 10-second sound clip (microphone)

  • Location (mobile triangulation)


GhostCtrl

  • Admin

  • Voice record

  • Message

  • Location


  • Text to speech for Android to say stuff out loud

  • webcam snapshots (front cam & back cam)

  • GPS tracker !


TeleRAT and IIRAT (Telegram BOT)

  • Clipboard

  • App list

  • SMS, Contact

  • Storage, Microphone, Camera

  • Control Admin Screen, Vibrate


Hidden Cobra

  • Proxy

  • Contact

  • SMS

  • Payload


  • SMS, Call, Call logs,

  • Opening web pages

  • Uploading images and video

  • Opening an application

  • Performing denial-of-service attacks

  • Changing the command and control server


  • Similar with dendroid

  • Actually Botnet by dendroid

  • SMS

  • Camera, Storage, Microphone

  • Browser open page


Joanap

  • Mic

  • botnet

  • steal log


SHConnect

  • Camera

  • Location

  • Storage


HighRise

  • Incoming outgoing SMS


  • Get messages

  • Screenshot Functionality

  • Camera Access

  • Add Google form for passwords


Triout Framework

  • Record phonecall, save it, send it to C&C

  • SMS Logs

  • Call Logs

  • Steal Images or Video, Camera Access

  • Hide


Cerberusapp

  • Storage

  • Location

  • Camera

  • Admin

  • not deletable

  • more


  • Real-time command execution

  • Schedule commands

  • Hidden app icon (stealth mode)

  • SMS, Call, Call logs, Contact

  • etc

  • Contact, Call logs, SMS

  • Logs

  • Location, Storage

  • Etc


  • Notification Listener (Facebook, whatsapp, email, instagram etc)

  • Call Logs

  • Contact

  • SMS

  • Etc

  • Camera

  • Location

  • Storage

  • Etc


FinSpy

  • Storage

  • Phone information

  • Call SMS MMS

  • Contact

  • GPS Location

  • VOIP record such Skype, WeChat, Viber, LINE etc


Monokle

  • GPS location

  • Audio record, call record

  • Screen recording

  • Keylogger and fingerprint-device duplicate

  • History browser and Call log, SMS Email logs, create a Call and SMS

  • Contact and calendar

  • Shell as root (rooted/rootable)


Joker (infect many apps in playstore)

  • SMS CALL CONTACT

  • Storage

  • Manipulating subscription (money)


  • similar "Adroid Spy App"

  • Call, SMS, Contact, Phone Information

  • Camera, Audio, Location, Storage

  • Account Detail

  • Lock, Vibrate, Flash

  • Owner Access (Boot)

  • Inject, Install / Remove Apps

  • Logs and Keylog (messenger, socialmedia)


Strandhogg

  • Hijack Session, apps log

  • Almost all permission


  • Command

  • SMS Contact Call

  • Storage


  • Camera

  • SMS Contact Call

  • Storage

  • Install, Inject


GravityRAT

  • SMS Contact Call

  • Storage

  • exfiltrate


BlueEagle jRAT

  • similar "jRAT"

  • Call, SMS, Contact, Phone Information

  • Camera, Audio, Location, Storage

  • Account Detail

  • Owner Access (Boot)

  • Block google protect


  • SMS CALL CONTACT

  • GPS

  • CAMERA AUDIO


  • sms call

  • storage

  • camera, etc


  • storage, camera

  • audio, etc


Rogue RAT

  • Camera, Audio

  • Storage, GPS

  • Keylog, etc


LodaRAT

  • Camera, Microphone, Phone

  • Storage, GPS

  • Install, Account Credentials, etc


  • GPS, Storage

  • Camera, Audio, Phone


Look for our upcoming Android Hacking training where we will deploy some of these RAT's and develop our own.

Recent Posts

See All

Comments


bottom of page