An unknown actor has been using Twitter to spread links to a malicious Android app that contains a RAT (Remote Access Trojan) and that they are employing to spy on ISIS sympathizers and Islam radicals all over the world.

The links to the APK were posted online via now-suspended Twitter profiles such as @farouk_112 and @farouk_113, which were regularly posting radicalized propaganda materials.

According to Intel Security experts, who discovered these accounts, the people behind these profiles posted links to an Android APK (app), advertised as a radio player Al Rayyan Radio, a Qatar radio station, urging followers to install the app.

SandroRAT used to spy on possible ISIS recruits

Intel's security team says that this APK file contained an Android RAT called SandroRAT, which allowed a third-party control over the device.

To avoid raising any suspicions, the malicious APK also came with a fully functional radio player that delivered the promised goods and some more. This "some more" was a hidden process that kept the RAT component running even if the user wasn't using the radio player.

The attacker could use this process to collect information about the infected target, access their call logs, SMS, camera, or the phone's filesystem to steal any desired data. If the infected Android was rooted, the RAT could also decrypt WhatsApp conversations.

Whodunit? There are three main suspects...

Based on the way the RAT was packaged inside the app, the channels chosen to distribute the malware, and the fact that the unknown actor used off-the-shelf malware, Intel concludes that the people behind this campaign are not very sophisticated threat actors.

Because of the hot topic of ISIS and terrorism all over the world, there are many groups that would have wanted to spy on people interested in radicalized views on Islam and possible ISIS sympathizers.

There are national agencies that want to build databases of possible ISIS recruits, hacktivism groups like Anonymous that are engaged in campaigns like #OpISIS, or the terrorist groups themselves that want to spy on possible recruits before inviting them to the organization.

Based on data collected through McAfee products, Intel says that it detected infections with this app in Middle East, Europe, and even North America.