A newly identified variant of the Android Remote Access Tool (RAT), AndroRAT, has emerged as a critical cybersecurity threat, leveraging sophisticated techniques to steal device unlock patterns, PINs, and passcodes.
The malware, first documented in 2012 as an open-source university project, has evolved into a weaponized tool capable of bypassing Android security mechanisms up to version 15.
Cybersecurity analysts have observed its integration with exploit frameworks targeting vulnerabilities like CVE-2015-1805, a Linux kernel flaw patched in 2016 but still present on millions of un-updated devices.
The latest AndroRAT iteration employs a multi-stage infection process beginning with dropper apps distributed through third-party stores and phishing campaigns.
AndroRAT’s New Tactics
One observed payload masquerades as “TrashCleaner,” a utility app that triggers the installation of a second-stage component disguised as a calculator app.
Upon execution, the malware abuses system_server permissions to inject exploits into the com.android.settings process, enabling silent privilege escalation.
Key technical components include:
Gesture.key Hash Extraction: AndroRAT targets /data/system/gesture.key and locksettings.db3, files storing SHA-1 hashes of unlock patterns.
Through adb pull commands executed post-exploitation, the malware extracts these hashes for offline cracking using tools like LockKnife, which employs dictionary attacks via customizable wordlists (rockyou.txt) and brute-force algorithms for 4–8-digit PINs.
Screen Interaction Bypass: The RAT utilizes input tap and input swipe shell commands to simulate user interactions, enabling auto-unlock functionality even on devices with active pattern/PIN authentication.
Memory Injection: By exploiting ptrace() vulnerabilities in Android’s Bionic libc, the malware injects payloads into legitimate processes like com.google.android.gms, evading detection by Google Play Protect.
According to post shared on X, the AndroRAT now include features including:
- Keylogger Module: Intercepts get event streams from /dev/input/event* to capture keystrokes, even on encrypted messaging apps.
- Hide Notifications & Mute Volume: Uses NotificationListenerService to block security alerts from antivirus apps.
- Dynamic DNS Fallback: Implements a Domain Generation Algorithm (DGA) using seed values derived from device IMEI to maintain C2 connectivity if primary servers are blocked.
Analysts have documented the malware’s ability to exfiltrate biometric data from devices with fingerprint sensors by intercepting BiometricPrompt API transactions.
Mitigation Strategies
Enterprises are advised to:
- Block traffic to IP ranges 185.130.104.[0-255] and 194.87.92.[0-255], associated with AndroRAT’s C2 servers.
- Deploy SELinux policies enforcing neverallow rules for untrusted app interactions with gesture.key.
- Monitor for anomalous SQLiteDatabase queries targeting locksettings.db, a signature of credential dumping activity.
AndroRAT’s evolution reflects a broader trend of academic tools being weaponized. The original 2012 codebase included innocuous features like GPS tracking but lacked rootkit capabilities.
The 2025 variant incorporates code fragments from Dendroid and OmniRAT, suggesting collaboration between Eastern European and Southeast Asian threat actors.
As Android 15 introduces hardened Gatekeeper protections, attackers have shifted focus to social engineering, exploiting trusted apps like “TrashCleaner” to bypass technical safeguards.
With over 12,000 infections logged since January 2025, this campaign underscores the critical need for firmware-level security updates across all Android OEMs.
Cybersecurity professionals are urged to analyze memory dumps using Volatility plugins targeting com.android.server.locksettings and to scrutinize APKs requesting REQUEST_COMPANION_START_FOREGROUND_SERVICES_FROM_BACKGROUND permissions—an obvious sign of AndroRAT infection.