Cyber-criminals have released a new malicious remote access tool (RAT) for Android, the sophisticated malware executes three essential tasks, leaking data, banking credential theft, and remote access.

The newly uncovered malware disguises itself as a “Google Service Framework” application. When installed, the malware disables any antivirus applications found on the device before proceeding to its three primary tasks. Additionally, security firm FireEye reports that the developers are in the process of building a framework to steal bank account credentials. Dubbing the malware, ‘HijackRAT‘, is the first of its kind and the most sophisticated Android malware yet combining all of its activities.

FireEye researchers, Jinjian Zhai and Jimmy Su explain how the bank account hijacking framework has the ability to target eight Korean banks, but attackers could easily increase their range with a simple update. Too add, Zhai and Su write how they believe the developers reside in Korea based on the applications interface and believe they are targeting Korean consumers as well.

Android devices infected with the malware will have an application with the default Android icon titled, “Google Services,” appear on the device home-screen. To remove the application, security researchers state users would need to go into their settings and revoke administrator privileges from the application itself.

During testing, FireEye found that after installing the malicious application, the “Google Service” icon appeared. When users click on the app they are immediately prompted to give the application administrator privileges. If permissions are granted, the application disables the user’s ability to uninstall and starts to automatically run a new app called “GS.”

In hindsight, if a user clicks on the “Google Services” app once more after installation, a notification claiming that the app was not successfully installed appears, and the icon disappears. Researchers report that within minutes the malware establishes a connection with its command and control (C&C) server.

The command and control server IP that HijackRAT phones home to resides Hong Kong, but researchers are unsure if that is a static server or simply the IP of a victtim controlled by the RAT, which would suggest a peer-to-peer architecture.

Once the command and control connection is established, the malware finishes installing the following to perform its various malicious tasks: UploadDetail, UploadSMS, SendSMS, BankHijack, PopWindows, and Update.

The first malicious task, UploadDetail, collects private information from the device, this includes phone numbers, device IDs, and contact lists. While “UploadDetail” harvests these tasks, the tool scans to see if any popular banking applications are found on the device.

While analyzing packets, researchers found a packet titled “blanklist” which came back empty when no bank applications were found on the device. If installed, of the eight recognized banking application, the “blanklist” packet returned with short names for each of the known banks.

Once a banking application is found, “PopWindow” initiates. The command and control connection uses “PopWindow” to kill commonly used task “com.ahnlab.v3mobileplus,” which will disable nearly every popular anti-virus applications found on the Google Play store. Once completed, “PopWindow” displays a notification telling users that new versions of their banking application are available. If users click the notification, the command and control center will install a malicious version of the banking application while uninstalling the original banking application.

From there, “Update” will update the malware when a new version is available. “UploadSMS” gives the command and control center full control over the phones SMS functions. The “BankHijack” module was found to be unfinished. But during analysis it was found to take notes of the recognized banking applications in its database, then continually try to apply an update. FireEye researchers believe the developers are having trouble finishing the module and executing it properly.

“Given the unique nature of how this app works, including its ability to pull down multiple levels of personal information and impersonate banking apps,” Zhai and Su say, “a more robust mobile banking threat could be on the horizon.”

As there is no current fix for this malware, it is recommended all Android users carefully read notifications before clicking “allow” or taking similar action. Security on mobile devices is essential, especially as cyber criminals are starting to target mobile app stores at rapid rates.