RANA Android Malware Description
The RANA Android Malware is a threatening malware tool that has been observed as part of the toolset of an Advanced Persistent Threat (APT) group of hackers called APT39. Other aliases that have been associated with the same group are Chafer, ITG07 or Remix Kitten. This particular threat actor is believed to be backed by the Iranian Ministry of Intelligence and Security (MOIS). In September 2020, the US Department of the Treasury imposed sanctions against this particular hacker group. More specifically, the sanctions targeted an entity named Rana Intelligence Computing Company, which served as a front for the hackers' illicit activities. Around the same time, the FBI issued a public threat analysis report shedding light on the malware tools at APT39's disposal.
The report contained an analysis of eight separate sets of undisclosed malware employed by the hacker group as part of their reconnaissance, data theft, and cyber espionage campaigns. The RANA Android Malware is one of the threats uncovered by the report. The initial capabilities of the threat described in the FBI report appear to have been just a portion of its true set of threatening abilities, though. Indeed, a subsequent deep dive into the underlying code of the RANA Android Malware performed by infosec researchers discovered additional information harvesting functionalities.
The RANA Android Malware's attack chain begins with the delivery of an 'optimizer.apk' application onto the targeted device. When fully deployed, that threat starts receiving HTTP GET requests from its Command-and-Control (C2, C&C) infrastructure. According to the received commands, RANA harvests device and system information, compresses it, and encrypts it with the AES cryptographic algorithm before exfiltrating the data through an HTTP POST request.
Among the newly discovered abilities of the malware are threatening functions for recording audio and taking arbitrary screenshots. It could also set up a custom Wi-Fi access point and establish a connection to it through the compromised device. Using this method would allow the threat actor to hide the device's unusual network traffic better. All infected targets also could be forced to answer incoming calls from specific phone numbers automatically.
The range of threatening operations available to RANA doesn't end there. The latest variants of the threat can abuse accessibility features in order to access the contents of several instant messaging applications. Among the discovered targets are WhatsApp, Telegram, Viber, Instagram, Skype, and Talaeii, an unofficial Telegram client distributed in Iran.
The range of threatening features displayed by the RANA Android Malware showed the scope of the APT39 threat actor's surveillance activities. The hackers attempted to tap into calls, exfiltrate sensitive data, and track specific government targets' locations through their mobile devices.