Dec 09, 2021 | Updated: 07:19 PM EDT

FireEye’s Security Concerns: WinSpy Android Tool

Apr 09, 2014 10:44 AM EDT

FireEye recently announced last month, a recent targeted attack on a US-based financial institution that points to a new strategy for black market hackers: optimizing for Android. The new tool is called WinSpy. WinSpy indicates  RATs (Remote Administration Tools) targeting Windows systems are beginning to optimize for Android as cyber criminals continue to move their focus towards mobile malware.

According to FireEye, WinSpy enables hackers to surveil and retrieve screenshots from infected devices, further proof that we are officially in the age of digital surveillance and intellectual property theft. The company recently observed a targeted attack on a U.S.-based financial institution via a spear-phishing email. The payload used in this campaign is a tool called WinSpy, which is sold by the author as a spying and monitoring tool. The features in this tool resemble that of many other off-the-shelf RATs (Remote Administration Tools) available today.

The company also observed a second campaign by a different attacker where the WinSpy payload was implanted in macro documents to attack various other targets in what appears to be a spam campaign. FireEye’s recent blog post states that the command-and-control (CnC) infrastructure used in the attack against the financial institution is owned and controlled by author of WinSpy.

While analyzing the windows payloads for WinSpy, the company also discovered that it also had Android spying components, which we have dubbed GimmeRat. The Android tool has multiple components allowing the victim’s device to be controlled by another mobile device remotely over SMS messages or alternatively through a Windows-based controller.

FireEye also describes the Windows-based controller is simplistic and requires physical access to the device. The recent surge in Android-based RATs such as Dendroid and AndroRAT shows a spike in the interest of malicious actors to control mobile devices. GimmeRAT is another startling example of malicious actors venturing into the Android ecosystem.

 
Real Time Analytics