Remote access tools have long been a major part of targeted hacker attacks on individuals and corporate networks. RATs have been used for everything from hacking the e-mail boxes of New York Times reporters to capturing video and audio of victims over their webcams. Recently, wireless broadband and the power of smartphones and tablets have extended hackers’ reach beyond the desktop. In a blog post yesterday, Symantec Senior Software Engineer Andrea Lelli described the rise of an underground market for malware tools based on Androrat, a remote administration tool that can give an attacker complete control over devices running the Android OS.

Androrat was published on GitHub in November 2012 as an open source tool for remote administration of Android devices. Packaged as a standard Android application (in an APK file), Androrat can be installed as a service on the device that launches at start-up or as a standard “activity” application. Once it’s installed, the user doesn’t need to interact with the application at all—it can be activated remotely by an SMS message or a call from a specific phone number.

The app can grab call logs, contact data, and all SMS messages on the device, as well as capture messages as they come in. It can provide live monitoring of call activity, take pictures with the phone’s camera, and stream audio from the phone’s microphone back to its server. It can also post “toasts” (application messages) on the screen, place phone calls, send text messages, and open websites in the phone’s browser. If it is launched as an application (or “activity”), it can even stream video from the camera back to the server.

Hackers have taken Androrat’s code and run with it. Recently, underground marketplaces for malware have begun to offer Androrat “binder” tools, which can attach the RAT to the APK files of other legitimate applications. When a user downloads what appears to be a harmless app that has been bound to Androrat, the RAT gets installed along with the app without requiring additional user input, sneaking past Android’s security model. Symantec reports that analysts have found 23 instances of legitimate apps that have been turned into carriers for Androrat. The code has also been incorporated into other “commercial” malware, such as Adwind—a Java-based RAT that can be used against multiple operating systems.

Lelli said that Symantec has detected “several hundred” cases of Androrat-based malware infections on Android devices, mostly in the US and Turkey. But now that binders are available to anyone willing to pay for them, the potential for infection to spread is growing rapidly.