Capturing and Detecting AndroidTester Remote Access Trojan
with the Emergency VPN — Civilsphere
Published: 2021-09-21 · Archived: 2026-04-06 00:25:23 UTC
Mobile remote access trojans, or RATs, are malicious programs that allow attackers to fully control a mobile
device. What does this mean in reality? The person controlling the malware will be able to access information on
the phone, including SMS, pictures and messaging applications, and also be able to steal or implant files on the
phone. RATs are precision tools used to track and gather information about a person. 
In this blog post, we show how the Emergency VPN can help identify RAT infections on Android phones. The
images and network traffic included in this blog post are part of the original research by Civilsphere researcher
Kamila Babayeva on the Android Mischief Dataset [1].
Android Tester Remote Access Trojan
AndroidTester is a RAT for Android that has been around since approximately 2020, and it is believed to be a
variation of another RAT known as SpyNote. Among its functionalities, the RAT can access files, SMS messages,
calls, contacts, locations, accounts, applications, and allows access to the shell, microphone, camera, keylogs,
settings, and other functionalities. This functionality is shown in Figure 1 and 2. 
Once the phone is infected with the RAT, the attacker has complete access to the phone. As we can see in the
screenshots below, the RAT can list all the files and all the installed applications, among other things.
Figure 3 - The Emergency VPN allows users to safely browse the Internet while providing a
security assessment of the network traffic to identify potential threats.
To capture the behavior of the AndroidTester RAT, we connected a Nokia Phone with Android 10 to our
Emergency VPN and then infected the device with AndroidTester v.6.4.6. The Nokia Phone was remotely
controlled like a real attacker would do, stealing information, adding and deleting contacts, and locating the
device.
During all this time, the Emergency VPN was active and the network connections through the VPN were captured
and then analysed by our analysts to identify if there were malicious connections identified or not.
The Emergency VPN captures and stores the network traffic in a PCAP file. This file contains all the network
connections the device did using the VPN and it is the primary source for analysis that our researchers use to find
malware infections.
In this session, the Emergency VPN was used for 1.2 hours resulting in 80MB of network traffic captured. With
this data, we proceed to perform our analysis.
In this investigation, we focused on three things to detect the malware infection:
https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn
Page 1 of 3

1. Unusual data upload: is the device uploading (a lot of) data to unusual services?
2. Periodic connections: are there network connections that appear not to be human? 
3. Data leaks: is there any personal information being leaked on the network?
The first thing we usually look at are usual data uploads. Most users are data consumers, generally downloading
more data than they send. This quick analysis highlighted one suspicious connection to a server not associated
with any well-known service, where the device uploaded 43MB as it can be seen below:
This connection is suspicious because the service is not known, the device uploads 43MB of data, but also,
because compared to the other activities in the device this is an outlier. However suspicious, this alone is not
enough to classify this connection as malicious and we investigate further.
Now that we have a connection that we consider suspicious, we analyse it to determine if this connection may
have been generated by a human or a program. When humans browse the internet or use applications, we rarely do
it in a periodic and automated fashion. Computers on the other hand, they do. 
The Stratosphere Linux IPS is a network analysis tool that allows to quickly analyse if a connection is periodic. As
shown below, the connection to this server is periodic, does not have an associated DNS name, and the data
transfer occurs over a non-standard port (1337).
With all the information gathered, our researchers will use existing Threat intelligence and their advanced
knowledge on traffic analysis to try to associate the traffic with a specific malware family whenever possible to
facilitate the risk assessment and remediation steps taken by users.
The Emergency VPN report for this device is available here. A technical in-depth analysis of AndroidTester
network traffic is available in the Stratosphere Blog [6].
How to Avoid Getting Infected by RATs
These are our recommendations to stay safe:
Install new apps only from the Google Play Store and trusted developers.
The Google Play Protect is enabled by default, keep it enabled at all times. 
Click only on links sent by people you know and trust. When in doubt, do not click.
Download and open attachments sent only by known and trusted contacts. When in doubt, do not download
and do not open.
Keep only the essential applications installed on the phone for maximum safety.
Never leave your phone unattended or unlocked, even in trusted spaces.
Never share your phone PIN or Pattern, even with loved ones.
https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn
Page 2 of 3

Remember that you can use the service ShouldIClick to check links before clicking, and see its content without
visiting the site directly on your phone. Get started using the Emergency VPN.
Source: https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vp
n
https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn
Page 3 of 3