DroidJack, originally referred to as SandoRAT by Symantec, is an Android trojan allegedly created by former Android app developers. SandoRAT was first sold on a hacker forum and subsequently used in cyber operations targeting Polish bank users in August 2014. Since then, the trojan evolved into DroidJack and is now sold on its own website for $210 USD. DroidJack has similar features to other Android RATs, including the ability to copy files between the device and computer, view all messages on the device, eavesdrop on phone calls, view all contacts, listen live or record audio from the device’s microphone, gain control of the camera, view the device’s technical information, and get the device’s last marked GPS location. In July, DroidJack malware was discovered on a Pokemon GO app for Android through unofficial installation methods. In August, DroidJack was reported being distributed via over the top (OTT) carrier services, which includes Microsoft’s Skype and Facebook’s WhatsApp. In this campaign, DroidJack was spread through SMS messages sent by an unnamed OTT carrier to subscribers of the service. The SMS contains a link to an APK file that tricks the user to clicking a malicious link initiating the download of the trojan.


  • August 2016: DroidJack spread through SMS over OTT carriers. (Dark Reading)

Technical Details

  • Symantec provides technical details on the DroidJack, available here.
DroidJack Example via Symantec

DroidJack Example via Symantec