Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users

A new open source remote access trojan (RAT) called DogeRAT targets Android users primarily located in India as part of a sophisticated malware campaign.

The malware is distributed via social media and messaging platforms under the guise of legitimate applications like Opera Mini, OpenAI ChatGOT, and Premium versions of YouTube, Netflix, and Instagram.

“Once installed on a victim’s device, the malware gains unauthorized access to sensitive data, including contacts, messages, and banking credentials,” cybersecurity firm CloudSEK said in a Monday report.

“It can also take control of the infected device, enabling malicious actions such as sending spam messages, making unauthorized payments, modifying files, and even remotely capturing photos through the device’s cameras.”

DogeRAT, like many other malware-as-a-service (MaaS) offerings, is promoted by its India-based developer through a Telegram channel that has more than 2,100 subscribers since it was created on June 9, 2022.

This also includes a premium subscription that’s sold for dirt-cheap prices ($30) with additional capabilities such as taking screenshots, stealing images, capturing clipboard content, and logging keystrokes.

In a further attempt to make it more accessible to other criminal actors, the free version of DogeRAT has been made available on GitHub, alongside screenshots and video tutorials showcasing its functions.

“We do not endorse any illegal or unethical use of this tool,” the developer states in the repository’s README.md file. “The user assumes all responsibility for the use of this software.”

Upon installation, the Java-based malware requests for intrusive permissions to perform its data-gathering objectives, before exfiltrating it to a Telegram bot.

“This campaign is a stark reminder of the financial motivation driving scammers to continually evolve their tactics,” CloudSEK researcher Anshuman Das said.

“They are not just limited to creating phishing websites, but also distributing modified RATs or repurposing malicious apps to execute scam campaigns that are low-cost and easy to set up, yet yield high returns.”

The findings come as Google-owned Mandiant detailed a new Android backdoor called LEMONJUICE that’s designed to enable remote control of and access to a compromised device.

“The malware is capable of tracking device location, recording the microphone, retrieving contact lists, accessing call, SMS, clipboard, and notification logs, viewing installed applications, downloading and uploading files, viewing connectivity status, and executing additional commands from the C2 server,” researcher Jared Wilson said.

In a related development, Doctor Web uncovered over 100 apps containing a spyware component called SpinOk that have been collectively downloaded more than 421 million times via the Google Play Store.

The module, which is distributed as a marketing software development kit (SDK), is engineered to collect sensitive information stored in the devices as well as copy and substitute clipboard contents.

Some of the most popular apps that have been found to contain the SpinOk trojan are Noizz, Zapya, VFly, MVBit, Biugo, Crazy Drop, Cashzine, Fizzo Novel, CashEM, and Tick.