8
mins read

DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries

CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach.

Anshuman Das
May 29, 2023
Green Alert
Last Update posted on
February 3, 2024
Ensure your mobile applications are safe and sound.

Ensure the safety and integrity of your mobile applications with CloudSEK BeVigil Enterprise Mobile App Scanner module.

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
Hansika Saxena
Coauthors image
CloudSEK TRIAD

Overview of the Campaign

Cybersecurity threats are continually evolving and getting more complicated. Scammers have started utilizing open-source software and technology to support scams, developing and customizing them to target individuals across the nation. These financially motivated con artists focus on increasing their profit margins by not spending any money on launching a fraud campaign. Previously, in a similar campaign, scammers were seen exploiting SMSEye2, an open-source Android application that forwards SMS messages to a Telegram Bot from a particular mobile device. 

During an investigation into an SMS stealer scam campaign, CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach. The malware is disguised as a legitimate app and is being distributed through social media and messaging apps. Once installed, the malware can steal sensitive information from the victim's device, such as contacts, messages, and banking credentials. The malware can also be used to take control of the victim's device and perform malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device.

It is essential to exercise vigilance and take preventative measures to safeguard our digital assets. In this blog, we will deep dive into the operation of the DogeRAT malware campaign and provide tips on how to protect yourself from this threat.

Attribution

DogeRAT has been found to be advertised by the malware creator in two Telegram Channels. In the image given below, the author of the RAT has offered a premium version of DogeRAT which has the additional capabilities of taking screenshots, stealing images from the gallery, working as a keylogger, stealing clipboard information, and has a new file manager along with more persistence and smooth bot connections with the infected device.

Screenshot of the Telegram advertisement offering the premium version of DogeRAT

Moreover, the author of DogeRAT has also created a GitHub repository where the RAT is hosted along with a video tutorial and the following list of features/capabilities offered by the RAT.

Capabilities of the DogeRAT


Technical Analysis

Set Up for DogeRAT

This Java-based android RAT uses a very simple server-side code written in NodeJs to interact with Telegram Bot and an infected device through a web socket. In this scenario, the Telegram Bot is working as the Command and Control panel for the threat actor who creates the setup and deploys the DogeRAT.

Code snippet used to interact with the Telegram Bot

The malware author's extensive tutorial on GitHub shows that a Telegram Bot and a free open-source NodeJs application hosting platform are sufficient to launch a scam campaign using DogeRAT.

Screenshot taken from the video tutorial shared by the malware author to set up the RAT

Permissions Required by the Trojan

Upon its initial launch, the Trojan acquires multiple permissions, including and not limited to access to call logs, audio recording, and reading of SMS messages, media, photos, etc.

Screenshots of the permissions requested by the Trojan

Invoking the Web View

The malware consistently displays the URL of the targeted entity in a web view within the application to create the appearance of legitimacy. The URL can be changed based on the target by the threat actor operating the RAT.

Code Snippet Responsible for displaying the target entity's URL in the malware's web view

Communication with the C2 Server 

As previously mentioned the Telegram Bot acts as a C2 panel for the RAT and upon further inspection of the HTTP traffic, we discovered that the malware is engaging in communication with server code that is manipulable via a Telegram Bot.

Screenshots of the HTTP traffic depicting the malware’s engagement with the C2 server

Uncovering the Campaign

During the routine triaging, CloudSEK researchers stumbled upon a malicious package ID "willi.fiend". Further investigation led to the discovery of over thousand counterfeit applications designed to target Android apps in multiple sectors, including banking, gaming, and entertainment. This discovery led to the identification of the DogeRAT malware campaign. 

Impersonated Apps

SHA1 Hash

Opera Mini - fast web browser

d93eb09c7ff82b863cf46220c7e85d30d152d705

Android VulnScan

eb88cac2fce77d85b287f702b26dc8e4db53ee57

YOUTUBE PREMIUM

cee05d1c702a7fd8616341a44b555ea677e08438

Netflix Premium

0b5581de43ee6bc51c8bec1ec97265ccd8109658

ChatGPT

05fcd1837791c60e8bdeaf36294d32ea88e196c9

Lite 1 [facebook]

c8bfcd665d689ed94fa7ca0740ab5f13b9a624fb

Instagram Pro

5f99a6beeb5b5eaa2739b52206e9f67f9bd7d125

Conclusion

This campaign serves as a stark reminder of the financial motivation driving scammers to continually evolve their tactics. They are not just limited to creating phishing websites, but also distributing modified RATs or repurposed malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns. Hence, it is important to be aware of the latest threats and to take steps to protect yourself. Here are a few tips:

  • Be careful about what links you click on and what attachments you open - If you receive a link or attachment from someone you don't know, don't click on it or open it.
  • Keep your software up to date - Software updates often include security patches that can help protect your device from malware.
  • Use a security solution - A good security solution can help protect your device from malware and other threats.
  • Be aware of the signs of a scam - Scammers often use techniques such as urgency, fear, and greed to trick victims. If you are ever unsure about a message or offer, it is best to err on the side of caution and not click on any links or open any attachments.
  • Educate yourself about malware - The more you know about malware, the better equipped you will be to spot it and protect yourself from it. There are many resources available online that can help you learn more about malware.

Indicators of Compromise (IoCs)

App Name

Hash

YOUTUBE PREMIUM

cee05d1c702a7fd8616341a44b555ea677e08438

YOUTUBE PREMIUM

7caa0b2489ecd7758911e1899fdfee114a29e905

YOUTUBE PREMIUM

c6d9b3bb2420c69f5bc4aee673753dae6e1e693e

VIDEO PLAYER

51161c9f4a3ae9746550854f9467997dae6485e4

VIDEO PLAYER

b017c9b82a9ba30c0e3c5dff1e5eb5fd1ed5d3b4

YOUTUBE PREMIUM

a1691ae35fed37dbde16b478e5b28b408a848640

VIDEO PLAYER

4af13c30115c5b68427f7cb334e6bd73138abe3e

VIDEO PLAYER

b865436af198fc8480d85264a105152b2b6e3b02

YOUTUBE PREMIUM

3421057008a57cdcdde4769a5629570184ce0f40

YOUTUBE PREMIUM

514cc20a65419f0ae1adbfcb97e579c9405ecf36

YOUTUBE PREMIUM

b225975439ef0ef0dfc15f6d49f5d9e0c5da3bd7

YOUTUBE PREMIUM

deacaf38d16691ec6f27810ce6a89ab072cd55d3

YOUTUBE PREMIUM

233bc1a0975472cc79080bf0536e711cc9cbaeb2

chat arab prvate

7a85de6eacf06945a11b4e4cc44374d313a149ec

YOUTUBE PREMIUM

89cfdb2fb46203d2d8566c6fac3fb062553f2d48

YOUTUBE PREMIUM

faba0e797884b1b8e65e3a2336dec3d27d8e5f80

YOUTUBE PREMIUM

716f4b35cd43cfc69dee46d6c9d62579a62161f1

YOUTUBE PREMIUM

16b48e5d8e721eb36038670ad133962d21bb1c0c

YOUTUBE PREMIUM

8d091646dffce1fa20ace3abc4a64e0058109593

ZETFLIX

bb47baf96eddc4cb912a763f13e1cc1d91457abb

SeoSprint

a027ee6ac9b11664f4666cdd2651f753d70aa2bd

YOUTUBE PREMIUM

f4461c92466e5e96977a7ad5890f83fc5aa1ee00

YOUTUBE PREMIUM

26c02a0378ed1fede09912b4f63a045e1147bbab

YOUTUBE PREMIUM

e70a7778694e27d3bbb5de4051470421d6918f71

YOUTUBE PREMIUM

dfaa802d7c29b076ad225b81516e2d75a34f0ce8

YOUTUBE PREMIUM

0651dfc1bbb165543f8313eab80e3021cfbb9c11

YOUTUBE PREMIUM

5d3d54f0bf932c2972d61aa7c1693d413d56c107

SeoSprint

e4510748d0fb1280f77a4e8e9743dc6de13a8c22

girls video call sex

3ae19f6485fdc992746d6d8e086346e4ddfbea8b

VIP MOD BOX

c23d084d4c67729413212847224ca70d9fcf3656

AKUN FREE FIRE

f1b5c963e381471f99533b07f9645197060343f8

YOUTUBE PREMIUM

5e4139f03a43a7174e72c149622261d91c6e09b0

YOUTUBE PREMIUM

6df9f1b3ccc957a5ee32846b30bede62747bd342

YOUTUBE PREMIUM

fb4e9e5df4aee341761d91a7979f155101628528

YOUTUBE PREMIUM

db8e25a0acb56b51bc4a0f38dfb05d5f1032027a

Petcoa

08236c8f70a29c9edb05563756c357af619964ac

Petcoa

e6b5678ce11bcf81e661838ec50aef76788e0d31

YOUTUBE PREMIUM

562166f3c51e3e80e41b10f55f31a472dd1dbcd2

YOUTUBE PREMIUM

31116da80f119d82124fd6b380e590d83a586fc2

YOUTUBE PREMIUM

8b2435863c027df038c21d49aca8033994dd2dc7

Zetflix

31c24678746e77fd89be9b21b31378b28eec4c03

YOUTUBE PREMIUM

f97e226f0fbd6ae22a1d6aa4a4a1319f166e8372

YOUTUBE PREMIUM

059c094410275afca1cc5a2699c36f7b41f35480

YOUTUBE PREMIUM

87ccf4554a34d29f56a5a8f00aa97b1818f09942

YOUTUBE PREMIUM

ad6cd355e133d786c2e7d885370d208ef3d6d839

Standoff 2

f5b40debe607fb2978cbbba63dc432aa74a18941

YOUTUBE PREMIUM

b7f07acc602b1d136cab47303f2589f1d2093ff1

TELEGRAM PREMIUM

7585fb1485c6bdd201aabead64250a6de9b8969d

YOUTUBE PREMIUM

4f0a2647b0f8feeef37e1779e6d38bcfa83685aa

AKUN FREE FIRE

fa9cb759ee400362194804976f7fd05466d249d2

Author

Anshuman Das

Threat Research @CloudSEK

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware

8

min read

DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries

CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach.

Authors
Anshuman Das
Threat Research @CloudSEK
Co-Authors

Overview of the Campaign

Cybersecurity threats are continually evolving and getting more complicated. Scammers have started utilizing open-source software and technology to support scams, developing and customizing them to target individuals across the nation. These financially motivated con artists focus on increasing their profit margins by not spending any money on launching a fraud campaign. Previously, in a similar campaign, scammers were seen exploiting SMSEye2, an open-source Android application that forwards SMS messages to a Telegram Bot from a particular mobile device. 

During an investigation into an SMS stealer scam campaign, CloudSEK’s TRIAD team discovered yet another open-source Android malware called DogeRAT (Remote Access Trojan), targeting a large customer base across multiple industries, especially Banking and Entertainment. Although the majority of this campaign targeted users in India, it is intended to have a global reach. The malware is disguised as a legitimate app and is being distributed through social media and messaging apps. Once installed, the malware can steal sensitive information from the victim's device, such as contacts, messages, and banking credentials. The malware can also be used to take control of the victim's device and perform malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device.

It is essential to exercise vigilance and take preventative measures to safeguard our digital assets. In this blog, we will deep dive into the operation of the DogeRAT malware campaign and provide tips on how to protect yourself from this threat.

Attribution

DogeRAT has been found to be advertised by the malware creator in two Telegram Channels. In the image given below, the author of the RAT has offered a premium version of DogeRAT which has the additional capabilities of taking screenshots, stealing images from the gallery, working as a keylogger, stealing clipboard information, and has a new file manager along with more persistence and smooth bot connections with the infected device.

Screenshot of the Telegram advertisement offering the premium version of DogeRAT

Moreover, the author of DogeRAT has also created a GitHub repository where the RAT is hosted along with a video tutorial and the following list of features/capabilities offered by the RAT.

Capabilities of the DogeRAT


Technical Analysis

Set Up for DogeRAT

This Java-based android RAT uses a very simple server-side code written in NodeJs to interact with Telegram Bot and an infected device through a web socket. In this scenario, the Telegram Bot is working as the Command and Control panel for the threat actor who creates the setup and deploys the DogeRAT.

Code snippet used to interact with the Telegram Bot

The malware author's extensive tutorial on GitHub shows that a Telegram Bot and a free open-source NodeJs application hosting platform are sufficient to launch a scam campaign using DogeRAT.

Screenshot taken from the video tutorial shared by the malware author to set up the RAT

Permissions Required by the Trojan

Upon its initial launch, the Trojan acquires multiple permissions, including and not limited to access to call logs, audio recording, and reading of SMS messages, media, photos, etc.

Screenshots of the permissions requested by the Trojan

Invoking the Web View

The malware consistently displays the URL of the targeted entity in a web view within the application to create the appearance of legitimacy. The URL can be changed based on the target by the threat actor operating the RAT.

Code Snippet Responsible for displaying the target entity's URL in the malware's web view

Communication with the C2 Server 

As previously mentioned the Telegram Bot acts as a C2 panel for the RAT and upon further inspection of the HTTP traffic, we discovered that the malware is engaging in communication with server code that is manipulable via a Telegram Bot.

Screenshots of the HTTP traffic depicting the malware’s engagement with the C2 server

Uncovering the Campaign

During the routine triaging, CloudSEK researchers stumbled upon a malicious package ID "willi.fiend". Further investigation led to the discovery of over thousand counterfeit applications designed to target Android apps in multiple sectors, including banking, gaming, and entertainment. This discovery led to the identification of the DogeRAT malware campaign. 

Impersonated Apps

SHA1 Hash

Opera Mini - fast web browser

d93eb09c7ff82b863cf46220c7e85d30d152d705

Android VulnScan

eb88cac2fce77d85b287f702b26dc8e4db53ee57

YOUTUBE PREMIUM

cee05d1c702a7fd8616341a44b555ea677e08438

Netflix Premium

0b5581de43ee6bc51c8bec1ec97265ccd8109658

ChatGPT

05fcd1837791c60e8bdeaf36294d32ea88e196c9

Lite 1 [facebook]

c8bfcd665d689ed94fa7ca0740ab5f13b9a624fb

Instagram Pro

5f99a6beeb5b5eaa2739b52206e9f67f9bd7d125

Conclusion

This campaign serves as a stark reminder of the financial motivation driving scammers to continually evolve their tactics. They are not just limited to creating phishing websites, but also distributing modified RATs or repurposed malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns. Hence, it is important to be aware of the latest threats and to take steps to protect yourself. Here are a few tips:

  • Be careful about what links you click on and what attachments you open - If you receive a link or attachment from someone you don't know, don't click on it or open it.
  • Keep your software up to date - Software updates often include security patches that can help protect your device from malware.
  • Use a security solution - A good security solution can help protect your device from malware and other threats.
  • Be aware of the signs of a scam - Scammers often use techniques such as urgency, fear, and greed to trick victims. If you are ever unsure about a message or offer, it is best to err on the side of caution and not click on any links or open any attachments.
  • Educate yourself about malware - The more you know about malware, the better equipped you will be to spot it and protect yourself from it. There are many resources available online that can help you learn more about malware.

Indicators of Compromise (IoCs)

App Name

Hash

YOUTUBE PREMIUM

cee05d1c702a7fd8616341a44b555ea677e08438

YOUTUBE PREMIUM

7caa0b2489ecd7758911e1899fdfee114a29e905

YOUTUBE PREMIUM

c6d9b3bb2420c69f5bc4aee673753dae6e1e693e

VIDEO PLAYER

51161c9f4a3ae9746550854f9467997dae6485e4

VIDEO PLAYER

b017c9b82a9ba30c0e3c5dff1e5eb5fd1ed5d3b4

YOUTUBE PREMIUM

a1691ae35fed37dbde16b478e5b28b408a848640

VIDEO PLAYER

4af13c30115c5b68427f7cb334e6bd73138abe3e

VIDEO PLAYER

b865436af198fc8480d85264a105152b2b6e3b02

YOUTUBE PREMIUM

3421057008a57cdcdde4769a5629570184ce0f40

YOUTUBE PREMIUM

514cc20a65419f0ae1adbfcb97e579c9405ecf36

YOUTUBE PREMIUM

b225975439ef0ef0dfc15f6d49f5d9e0c5da3bd7

YOUTUBE PREMIUM

deacaf38d16691ec6f27810ce6a89ab072cd55d3

YOUTUBE PREMIUM

233bc1a0975472cc79080bf0536e711cc9cbaeb2

chat arab prvate

7a85de6eacf06945a11b4e4cc44374d313a149ec

YOUTUBE PREMIUM

89cfdb2fb46203d2d8566c6fac3fb062553f2d48

YOUTUBE PREMIUM

faba0e797884b1b8e65e3a2336dec3d27d8e5f80

YOUTUBE PREMIUM

716f4b35cd43cfc69dee46d6c9d62579a62161f1

YOUTUBE PREMIUM

16b48e5d8e721eb36038670ad133962d21bb1c0c

YOUTUBE PREMIUM

8d091646dffce1fa20ace3abc4a64e0058109593

ZETFLIX

bb47baf96eddc4cb912a763f13e1cc1d91457abb

SeoSprint

a027ee6ac9b11664f4666cdd2651f753d70aa2bd

YOUTUBE PREMIUM

f4461c92466e5e96977a7ad5890f83fc5aa1ee00

YOUTUBE PREMIUM

26c02a0378ed1fede09912b4f63a045e1147bbab

YOUTUBE PREMIUM

e70a7778694e27d3bbb5de4051470421d6918f71

YOUTUBE PREMIUM

dfaa802d7c29b076ad225b81516e2d75a34f0ce8

YOUTUBE PREMIUM

0651dfc1bbb165543f8313eab80e3021cfbb9c11

YOUTUBE PREMIUM

5d3d54f0bf932c2972d61aa7c1693d413d56c107

SeoSprint

e4510748d0fb1280f77a4e8e9743dc6de13a8c22

girls video call sex

3ae19f6485fdc992746d6d8e086346e4ddfbea8b

VIP MOD BOX

c23d084d4c67729413212847224ca70d9fcf3656

AKUN FREE FIRE

f1b5c963e381471f99533b07f9645197060343f8

YOUTUBE PREMIUM

5e4139f03a43a7174e72c149622261d91c6e09b0

YOUTUBE PREMIUM

6df9f1b3ccc957a5ee32846b30bede62747bd342

YOUTUBE PREMIUM

fb4e9e5df4aee341761d91a7979f155101628528

YOUTUBE PREMIUM

db8e25a0acb56b51bc4a0f38dfb05d5f1032027a

Petcoa

08236c8f70a29c9edb05563756c357af619964ac

Petcoa

e6b5678ce11bcf81e661838ec50aef76788e0d31

YOUTUBE PREMIUM

562166f3c51e3e80e41b10f55f31a472dd1dbcd2

YOUTUBE PREMIUM

31116da80f119d82124fd6b380e590d83a586fc2

YOUTUBE PREMIUM

8b2435863c027df038c21d49aca8033994dd2dc7

Zetflix

31c24678746e77fd89be9b21b31378b28eec4c03

YOUTUBE PREMIUM

f97e226f0fbd6ae22a1d6aa4a4a1319f166e8372

YOUTUBE PREMIUM

059c094410275afca1cc5a2699c36f7b41f35480

YOUTUBE PREMIUM

87ccf4554a34d29f56a5a8f00aa97b1818f09942

YOUTUBE PREMIUM

ad6cd355e133d786c2e7d885370d208ef3d6d839

Standoff 2

f5b40debe607fb2978cbbba63dc432aa74a18941

YOUTUBE PREMIUM

b7f07acc602b1d136cab47303f2589f1d2093ff1

TELEGRAM PREMIUM

7585fb1485c6bdd201aabead64250a6de9b8969d

YOUTUBE PREMIUM

4f0a2647b0f8feeef37e1779e6d38bcfa83685aa

AKUN FREE FIRE

fa9cb759ee400362194804976f7fd05466d249d2