{
	"id": "411a871b-3b7c-4a6d-b832-bd4501317dc2",
	"created_at": "2026-04-06T01:31:01.961755Z",
	"updated_at": "2026-04-10T03:22:05.455417Z",
	"deleted_at": null,
	"sha1_hash": "f3bf44383074b8519f242f7df8b078196ef96de8",
	"title": "Capturing and Detecting AndroidTester Remote Access Trojan with the Emergency VPN — Civilsphere",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42773,
	"plain_text": "Capturing and Detecting AndroidTester Remote Access Trojan\r\nwith the Emergency VPN — Civilsphere\r\nPublished: 2021-09-21 · Archived: 2026-04-06 00:25:23 UTC\r\nMobile remote access trojans, or RATs, are malicious programs that allow attackers to fully control a mobile\r\ndevice. What does this mean in reality? The person controlling the malware will be able to access information on\r\nthe phone, including SMS, pictures and messaging applications, and also be able to steal or implant files on the\r\nphone. RATs are precision tools used to track and gather information about a person. \r\nIn this blog post, we show how the Emergency VPN can help identify RAT infections on Android phones. The\r\nimages and network traffic included in this blog post are part of the original research by Civilsphere researcher\r\nKamila Babayeva on the Android Mischief Dataset [1].\r\nAndroid Tester Remote Access Trojan\r\nAndroidTester is a RAT for Android that has been around since approximately 2020, and it is believed to be a\r\nvariation of another RAT known as SpyNote. Among its functionalities, the RAT can access files, SMS messages,\r\ncalls, contacts, locations, accounts, applications, and allows access to the shell, microphone, camera, keylogs,\r\nsettings, and other functionalities. This functionality is shown in Figure 1 and 2. \r\nOnce the phone is infected with the RAT, the attacker has complete access to the phone. As we can see in the\r\nscreenshots below, the RAT can list all the files and all the installed applications, among other things.\r\nFigure 3 - The Emergency VPN allows users to safely browse the Internet while providing a\r\nsecurity assessment of the network traffic to identify potential threats.\r\nTo capture the behavior of the AndroidTester RAT, we connected a Nokia Phone with Android 10 to our\r\nEmergency VPN and then infected the device with AndroidTester v.6.4.6. The Nokia Phone was remotely\r\ncontrolled like a real attacker would do, stealing information, adding and deleting contacts, and locating the\r\ndevice.\r\nDuring all this time, the Emergency VPN was active and the network connections through the VPN were captured\r\nand then analysed by our analysts to identify if there were malicious connections identified or not.\r\nThe Emergency VPN captures and stores the network traffic in a PCAP file. This file contains all the network\r\nconnections the device did using the VPN and it is the primary source for analysis that our researchers use to find\r\nmalware infections.\r\nIn this session, the Emergency VPN was used for 1.2 hours resulting in 80MB of network traffic captured. With\r\nthis data, we proceed to perform our analysis.\r\nIn this investigation, we focused on three things to detect the malware infection:\r\nhttps://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn\r\nPage 1 of 3\n\n1. Unusual data upload: is the device uploading (a lot of) data to unusual services?\r\n2. Periodic connections: are there network connections that appear not to be human? \r\n3. Data leaks: is there any personal information being leaked on the network?\r\nThe first thing we usually look at are usual data uploads. Most users are data consumers, generally downloading\r\nmore data than they send. This quick analysis highlighted one suspicious connection to a server not associated\r\nwith any well-known service, where the device uploaded 43MB as it can be seen below:\r\nThis connection is suspicious because the service is not known, the device uploads 43MB of data, but also,\r\nbecause compared to the other activities in the device this is an outlier. However suspicious, this alone is not\r\nenough to classify this connection as malicious and we investigate further.\r\nNow that we have a connection that we consider suspicious, we analyse it to determine if this connection may\r\nhave been generated by a human or a program. When humans browse the internet or use applications, we rarely do\r\nit in a periodic and automated fashion. Computers on the other hand, they do. \r\nThe Stratosphere Linux IPS is a network analysis tool that allows to quickly analyse if a connection is periodic. As\r\nshown below, the connection to this server is periodic, does not have an associated DNS name, and the data\r\ntransfer occurs over a non-standard port (1337).\r\nWith all the information gathered, our researchers will use existing Threat intelligence and their advanced\r\nknowledge on traffic analysis to try to associate the traffic with a specific malware family whenever possible to\r\nfacilitate the risk assessment and remediation steps taken by users.\r\nThe Emergency VPN report for this device is available here. A technical in-depth analysis of AndroidTester\r\nnetwork traffic is available in the Stratosphere Blog [6].\r\nHow to Avoid Getting Infected by RATs\r\nThese are our recommendations to stay safe:\r\nInstall new apps only from the Google Play Store and trusted developers.\r\nThe Google Play Protect is enabled by default, keep it enabled at all times. \r\nClick only on links sent by people you know and trust. When in doubt, do not click.\r\nDownload and open attachments sent only by known and trusted contacts. When in doubt, do not download\r\nand do not open.\r\nKeep only the essential applications installed on the phone for maximum safety.\r\nNever leave your phone unattended or unlocked, even in trusted spaces.\r\nNever share your phone PIN or Pattern, even with loved ones.\r\nhttps://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn\r\nPage 2 of 3\n\nRemember that you can use the service ShouldIClick to check links before clicking, and see its content without\r\nvisiting the site directly on your phone. Get started using the Emergency VPN.\r\nSource: https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vp\r\nn\r\nhttps://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn"
	],
	"report_names": [
		"capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn"
	],
	"threat_actors": [],
	"ts_created_at": 1775439061,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3bf44383074b8519f242f7df8b078196ef96de8.pdf",
		"text": "https://archive.orkl.eu/f3bf44383074b8519f242f7df8b078196ef96de8.txt",
		"img": "https://archive.orkl.eu/f3bf44383074b8519f242f7df8b078196ef96de8.jpg"
	}
}