DogeRAT: the new open source danger for Android

In a sophisticated malware campaign, DogeRAT, a new open source Remote Access Trojan (RAT), is primarily targeting Android users in India. This malware is distributed through social media and messenger platforms, masquerading as legitimate applications such as Opera Mini, OpenAI ChatGOT and premium versions of YouTube, Netflix and Instagram.

Harmful Functions of DogeRAT

Once installed on the victim's device, the malware gains unauthorized access to sensitive data, such as contacts, messages, and banking credentials, as reported by cybersecurity firm CloudSEK. Not only that, DogeRAT can also take control of the infected device, allowing malicious actions such as sending spam messages, making unauthorized payments, modifying files and even remotely taking photos via the device's cameras. This malware, similar to many other malware-as-a-service (MaaS) offerings, is promoted by its India-based developer through a Telegram channel that has reached more than 2,100 subscribers since its launch on June 9, 2022.

Accessibility of DogeRAT and Responsibility of Users

In addition, DogeRAT includes a premium subscription sold at very low prices ($30) with additional capabilities such as screenshot capture, image theft, clipboard content capture, and keystroke logging. In an effort to make it even more accessible to other criminal actors, the free version of DogeRAT has been made available on GitHub, complemented by screenshots and video tutorials explaining its functions. However, the developer points out in the README.md file of the repository: "We do not endorse any illegal or unethical use of this tool. You bear all responsibility for the use of this software."

Other Emerging Threats in the Android World

Upon installation, this Java-based malware requests intrusive permissions to achieve its data-gathering goals, before exfiltrating it to a Telegram bot. At the same time, other threats emerge in the Android world. Google-owned Mandiant has detailed a new backdoor called LEMONJUICE that is designed to enable remote control and access to a compromised device. Additionally, Doctor Web discovered over 100 apps containing a spyware component called SpinOk, collectively downloaded more than 421 million times via the Google Play Store. This module, distributed as a marketing software development kit (SDK), is designed to collect sensitive information stored in devices and copy and replace clipboard content.