| Researchers October 20, 2017

October 20, 2017

JadeRAT mobile surveillanceware spikes in espionage activity

By Michael Flossman

Lookout researchers are monitoring the evolution of an Android surveillanceware family known as JadeRAT, we believe may be connected to a government sponsored APT group.

Emerging in 2015 and becoming increasingly active, JadeRAT provides its operators with a significant degree of control over a compromised device and supports over 60 commands that are focused on retrieving sensitive information and profiling victims.
All Lookout customers are protected from this threat.

JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Some of these active families have included FrozenCell, an attack against government officials in Palestine; xRAT, associated with a family targeting Hong Kong protestors; and ViperRAT, an attack targeting members of the Israeli Defense Force. Research into those families suggests they are highly targeted however we've also seen more wide-reaching spyware such as SonicSpy that was discovered in thousands of malicious apps, some of which made their way into the Google Play Store.

Potential attribution

Based on the apps we've seen JadeRAT trojanize, it appears the actors behind it are primarily targeting groups and individuals in China. While our analysis has identified several possible leads that could tie this surveillanceware family to the Naikon APT, Scarlet Mimic, or one of several other groups operating in the region, at this point in time we do not have conclusive evidence to confirm this. Our findings do support the theory that the actor behind JadeRAT is operating around a similar set of objectives to those followed by other Chinese government sponsored groups. We're hoping that by sharing this information it will increase awareness about the rise in targeted surveillance attacks against mobile devices and provide further leads to the research community investigating actors operating in this region.

JadeRAT samples

JadeRAT test releases chart

There is a strong indication that the actor behind this family is becoming increasingly active in the mobile space. As of June 2017, we have acquired 34 JadeRAT samples, 50 percent of which were acquired just this year. Looking at hard coded configuration details, we were able to determine which samples are likely production releases and which are used for internal testing. This shows that the majority of production samples were released this year.

JadeRAT sample names have remained fairly consistent. The apps SIM卡管理 (SIM Card Management), 手机管家 (Phone Guardian), and Google Searcher are the most popular observed titles. Others have included Uyghur, 170602, Telegram, and Voxer, indicating the actor is impersonating communication apps and may be running some campaigns targeting ethnic minorities in China, given the Uyghur reference.

JadeRAT supports over 60 commands that can be issued in the format !<command_id>&<optional_cmd_params>@. Many of these offer standard information gathering functionality seen in typical mobile surveillanceware, however JadeRAT supports several less common capabilities. These include notifying an operator via SMS when a device has booted and silently dropping calls and texts to attacker specified numbers. The following are JadeRAT's core capabilities:

Get a list of running processes Configure call recording to occur if a call is made to a specified number
Get the name of the foreground task Alert a 'secure phone' that a victim's device is now online
Get active services Record audio at a specific time for a set duration
Retrieve device location Start / stop audio recording / set to record based on calls to certain numbers
Retrieve contacts, accounts, call logs, text messages Attempt to call an attacker specified number
Kill a specific process Silently drop calls and SMSes to specific numbers
Retrieve location data that has been periodically collected Enable / disable Wi-Fi
List the contents of a specific directory Enable / disable mobile data
Download / upload / delete a specified file   Enable / disable GPS
Recursively search a directory on a victim's device for a specific filename Delete all SMSes, call logs, contacts, and content on the SDCard
Use ZipUtils to compress a specific file, placing the compressed output in /sdcard/.temp Execute arbitrary commands if root
Exfiltrate MicroMsg and QQ media files and chat databases Take a screenshot
Check for root access Shutdown / reboot device
Retrieve Wi-Fi access points and their corresponding passwords

JadeRAT code snippet

As JadeRAT simply opens up a socket to a specified address and uses quite a basic instruction format without any authentication its capabilities can be tested out by redirecting traffic from a compromised device to an analysis machine running netcat.


JadeRAT's operators have consistently changed their infrastructure. Production releases rarely reuse domains or IP addresses, frequently use dynamic DNS, and communicate on various non-standard ports. JadeRAT is configured to send SMS messages to an attacker-specified phone number when the compromised device first comes online, however these have only been pre-configured in three of the most recently observed samples. We extracted the following phone numbers from samples acquired during April of 2017:

Number Region Operator Brand
18395610195 Shijiazhuang City, Hebei Province China Mobile Communications Corporation Global pass, M-Zone, Shenzhou line, G3
18633666566 Handan City, Hebei Province China United Network Communications Group Co., Ltd Unknown
13910674787 Beijing China Mobile Communications Corporation Global pass, M-Zone, Shenzhou line, G3

Though these phone numbers are only associated with a limited number of samples, all samples come configured with specific infrastructure to which they communicate. Below are observed domains and external IP addresses. 

IP / Domain Port
googleservhlp.oicp.net 8096
iponetest.eicp.net 8001
myofficedesktop.rkfree.net 8000
asd887655.6655.la 8080 80 5000 8000 8899 6611 8029 8899 8081 8080 4434
test.ymyoo.xyz 5000 4434 8910

JadeRAT connections

Lookout is continuing to track JadeRAT and its associated infrastructure closely as we anticipate this family will only continue to grow.

Want to learn more about threats like JadeRAT and our Threat Advisory services? Contact Lookout today.


All these indicators have been added to AlienVault under the JadeRAT pulse.


Michael Flossman,
Security Research Services Tech Lead

Leave a comment