Android App SandroRAT Targets Polish Banking Users via Phishing Email

Europe is currently under attack by spammers trying to get control of Android devices. In Germany the distribution method is via SMS (text) messages, as you can read in this recent McAfee Labs post, while in Poland there is an ongoing email spam campaign distributing a new variant of an Android remote access tool (RAT).

Recently McAfee Labs received a new mobile malware sample from a customer in Poland with the name Kaspersky_Mobile_Security.apk. It arrives as an attachment with the following phishing message:


Source: Zaufana Trzecia Strona

The email tries to scare a user with the following subject:

“Uwaga! Wykryto szkodliwe oprogramowanie w Twoim telefonie!”
(“Caution! Detected malware on your phone!”)

The body of the message states that the bank is providing the attached free mobile security application to detect malware that steals SMS codes (mTANs) for authorizing electronic transactions. However, the attached application is in fact a version of the Android RAT SandroRat, which was announced at the end of the last year in the Hacking Community HackForums. The RAT and its source code are for sale, making it accessible to everyone to create a custom version of this threat.

Just as any other Android RAT (such as AndroRAT), the malware can remotely execute several commands to perform any of the following actions:

  • Steal sensitive personal information such as contact list, SMS messages (inbox, outbox, and sent), call logs (incoming, outgoing, and missed calls), browser history (title, link, date), bookmarks and GPS location (latitude and longitude).
  • Intercept incoming calls and record those in a WAV file on the SD card to later leak the file.
  • Update itself (or install additional malware) by downloading and prompting the user to install the file update.apk.
  • Intercept, block, and steal incoming SMS messages.
  • Send MMS messages with parameters (phone number and text) provided by the control server.
  • Insert and delete SMS messages and contacts.
  • Record surrounding sound and store it in an adaptive multi-rate file on the SD card to later send to a remote server.
  • Open the dialer with a number provided by the attacker or execute USSD codes.
  • Display Toast (pop-up) messages on the infected device.

A novel functionality of this threat is its ability to access the encrypted Whatsapp chats (available in the path /WhatsApp/Databases/msgstore.db.crypt5 on the SD card) and obtain the unique encryption key using the Google email account of the device to get the chats in plain text and store them in the file


This decryption routine will not work with Whatsapp chats encrypted by the latest version of the application because the encryption scheme (crypt7) has been updated to make it stronger (using a unique server salt). Whatsapp users should update the app to the latest version.

Spam campaigns (via SMS or email) are becoming a very popular way to distribute Android malware, which can steal personal information or even obtain complete control of a device with a tools like SandroRAT. This attack gains credence with the appearance of a bank offering security solutions against banking malware, a typical behavior of legitimate banks.

McAfee Mobile Security detects this Android threat and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top