We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:AndroidOS/AndroRat
Aliases: No associated aliases
Summary
The Trojan:AndroidOS/AndroRat malware family demonstrates how open-source administrative tools can be repurposed into significant mobile security threats. Originating as a publicly available proof-of-concept for Android device control, its code has been adapted and expanded by various threat actors and state-sponsored groups. The malware operates by subverting the Android operating system's security model, primarily through the aggressive solicitation of permissions and the abuse of accessibility services to gain extensive control over target devices. Its evolution reflects a shift from simple information theft to functioning as a complex, multi-stage surveillance platform. The framework's core capability involves breaking device sandboxing to provide operators with remote access to sensitive data and hardware functions, including cameras, microphones, and private communications.
- Immediately isolate the device by activating Airplane Mode and disabling Wi-Fi and Bluetooth to sever the command-and-control connection.
- From a clean PC, change passwords for all accounts accessed from the compromised Android device, prioritizing email and financial services.
- Reset multi-factor authentication (MFA) methods, moving away from SMS-based codes to a more secure authenticator app or hardware key.
- Navigate device settings to manually review installed applications and revoke Device Administrator privileges from any suspicious entry before attempting uninstallation.
- Perform a scan using a reputable mobile security application to identify and remove malicious components.
- Boot the device into Safe Mode to prevent third-party apps from running, which allows for the successful removal of persistent malware.
- As a definitive last resort, do a full factory reset to wipe all user data and system partitions, ensuring complete removal of the infection.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
