How to remove Delivery RAT from infected devices

What kind of malware is Delivery RAT?

Delivery RAT is a remote administration Trojan targeting Android devices. The most recent version can steal various information, execute commands, send SMS, launch DDoS attacks, and more. Delivery RAT is distributed through fake apps that mimic banks, video and movie sharing services, marketplaces, and other services.

Delivery RAT in detail

When launched, Delivery RAT checks notification permissions and checks the internet connection. If the internet is available (or if it was already launched), Delivery RAT shows the screen asking the user to grant permissions. Then it starts a WebSocket background service that connects to its control server and waits for user actions.

After the user grants permissions and confirms, the fake app shows the main screen to enter a tracking number (or other information, depending on the service it impersonates). It then requests permissions to read and send SMS, read phone calls, and obtain the state of the phone. After these permissions are given, Delivery RAT gathers SIM info and sends it to the server.

Once these steps are completed, the malware can display fake windows. These windows mimic banking apps, video, movie sharing, delivery services, marketplaces, and other services. The RAT can show a form for the user to type credit card details. When the user enters these details and taps the Confirm button, the malware shows a download animation and sends the entered card data to the attacker's server.

Delivery RAT can also display custom forms with multiple fields. Furthermore, it can display a message asking the user to select a photo. When the user clicks the provided button, the app checks for storage or media permissions and requests them if needed. After the user picks a photo, it is uploaded to the attacker's server.

Additionally, the malicious app displays a QR image along with two fields (one labeled "Enter track number" by default) and waits for the user to view/scan it. If the user interacts and then taps Confirm, the app immediately plays a download animation. Behind this, the malware records that interaction and then follows the attacker's next command from the control server.

Also, the RAT can display a single text field for the user to fill in. When the user taps Confirm, the app displays the download animation, records the entered text, and acts on the server's next instruction. It also contains a fake support chat feature where any entered information is sent to cybercriminals.

During the malware's presence, threat actors can get information on its status. They can check when the malicious app is launched, minimized, or closed.

Other capabilities

The RAT includes a tool that reads incoming push notifications. It sends the notification data to the attacker's server. If possible, the malware then deletes or hides the notification so the user never sees it. This lets attackers capture sensitive info. Another RAT's tool can access SMS messages and collect their contents.

Also, Delivery RAT ensures it runs after each device restart. As soon as the device boots, it launches a specific service that reconnects to the attacker's server and maintains active communication.

Furthermore, the malware can send SMS to all contacts, execute USSD commands, change its app icon, and hide or show the launcher icon. It can also open a screen requesting contact access and collect/send the full contact list, send SMS to specified numbers, and perform HTTP requests to launch DDoS attacks.

Conclusion

DeliveryRAT is a persistent Android trojan that requests various permissions and maintains a live connection. It can covertly collect and exfiltrate sensitive data (messages, notifications, contacts, files, and credentials), interact with users via fake screens or chats, send messages from the device, and more.

Victims of this malware can encounter various issues, from monetary loss to identity theft. Thus, it should be removed from compromised devices as soon as possible. More examples of Android malware are GhostGrab, Herodotus, and ClayRat.

How did Delivery RAT infiltrate my device?

Malware can be delivered via deceptive messages or emails containing malicious links or files, as well as malicious advertisements (including fake warnings and other pop-ups) on shady websites. Cybercriminals also use fake websites or third-party app stores to trick users into installing malicious apps on their devices.

In other cases, threat actors can use software vulnerabilities to deploy malware.

How to avoid installation of malware?

Download apps solely from official platforms (like Google Play) and websites. Do not click links or open files in irrlevant, unexpected texts, emails, or other messages from unknown senders. Regularly update your system and apps, use Google Play Protect, and a trusted mobile security app.

Additionally, do not trust advertisements or other content encountered on suspicious sites.

Quick menu:

• Introduction
• How to delete browsing history from the Chrome web browser?
• How to disable browser notifications in the Chrome web browser?
• How to reset the Chrome web browser?
• How to delete browsing history from the Firefox web browser?
• How to disable browser notifications in the Firefox web browser?
• How to reset the Firefox web browser?
• How to uninstall potentially unwanted and/or malicious applications?
• How to boot the Android device in "Safe Mode"?
• How to check the battery usage of various applications?
• How to check the data usage of various applications?
• How to install the latest software updates?
• How to reset the system to its default state?
• How to disable applications that have administrator privileges?

Delete browsing history from the Chrome web browser:

Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.

Tap "Clear browsing data", select "ADVANCED" tab, choose the time range and data types you want to delete and tap "Clear data".

[Back to Table of Contents]

Disable browser notifications in the Chrome web browser:

Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "Settings" in the opened dropdown menu.

Scroll down until you see "Site settings" option and tap it. Scroll down until you see "Notifications" option and tap it.

Find the websites that deliver browser notifications, tap on them and click "Clear & reset". This will remove permissions granted for these websites to deliver notifications. However, once you visit the same site again, it may ask for a permission again. You can choose whether to give these permissions or not (if you choose to decline the website will go to "Blocked" section and will no longer ask you for the permission).

[Back to Table of Contents]

Reset the Chrome web browser:

Go to "Settings", scroll down until you see "Apps" and tap it.

Scroll down until you find "Chrome" application, select it and tap "Storage" option.

Tap "MANAGE STORAGE", then "CLEAR ALL DATA" and confirm the action by taping "OK". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.

[Back to Table of Contents]

Delete browsing history from the Firefox web browser:

Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu.

Scroll down until you see "Clear private data" and tap it. Select data types you want to remove and tap "CLEAR DATA".

[Back to Table of Contents]

Disable browser notifications in the Firefox web browser:

Visit the website that is delivering browser notifications, tap the icon displayed on the left of URL bar (the icon will not necessarily be a "Lock") and select "Edit Site Settings".

In the opened pop-up opt-in the "Notifications" option and tap "CLEAR".

[Back to Table of Contents]

Reset the Firefox web browser:

Go to "Settings", scroll down until you see "Apps" and tap it.

Scroll down until you find "Firefox" application, select it and tap "Storage" option.

Tap "CLEAR DATA" and confirm the action by taping "DELETE". Note that resetting the browser will eliminate all data stored within. This means that all saved logins/passwords, browsing history, non-default settings and other data will be deleted. You will also have to re-login into all websites as well.

[Back to Table of Contents]

Uninstall potentially unwanted and/or malicious applications:

Go to "Settings", scroll down until you see "Apps" and tap it.

Scroll down until you see a potentially unwanted and/or malicious application, select it and tap "Uninstall". If, for some reason, you are unable to remove the selected app (e.g., you are prompted with an error message), you should try using the "Safe Mode".

[Back to Table of Contents]

Boot the Android device in "Safe Mode":

The "Safe Mode" in Android operating system temporarily disables all third-party applications from running. Using this mode is a good way to diagnose and solve various issues (e.g., remove malicious applications that prevent users you from doing so when the device is running "normally").

Push the "Power" button and hold it until you see the "Power off" screen. Tap the "Power off" icon and hold it. After a few seconds the "Safe Mode" option will appear and you'll be able run it by restarting the device.

[Back to Table of Contents]

Check the battery usage of various applications:

Go to "Settings", scroll down until you see "Device maintenance" and tap it.

Tap "Battery" and check the usage of each application. Legitimate/genuine applications are designed to use as low energy as possible in order to provide the best user experience and to save power. Therefore, high battery usage may indicate that the application is malicious.

[Back to Table of Contents]

Check the data usage of various applications:

Go to "Settings", scroll down until you see "Connections" and tap it.

Scroll down until you see "Data usage" and select this option. As with battery, legitimate/genuine applications are designed to minimize data usage as much as possible. This means that huge data usage may indicate presence of malicious application. Note that some malicious applications might be designed to operate when the device is connected to wireless network only. For this reason, you should check both Mobile and Wi-Fi data usage.

If you find an application that uses a lot of data even though you never use it, then we strongly advise you to uninstall it as soon as possible.

[Back to Table of Contents]

Install the latest software updates:

Keeping the software up-to-date is a good practice when it comes to device safety. The device manufacturers are continually releasing various security patches and Android updates in order to fix errors and bugs that can be abused by cyber criminals. An outdated system is way more vulnerable, which is why you should always be sure that your device's software is up-to-date.

Go to "Settings", scroll down until you see "Software update" and tap it.

Tap "Download updates manually" and check if there are any updates available. If so, install them immediately. We also recommend to enable the "Download updates automatically" option - it will enable the system to notify you once an update is released and/or install it automatically.

[Back to Table of Contents]

Reset the system to its default state:

Performing a "Factory Reset" is a good way to remove all unwanted applications, restore system's settings to default and clean the device in general. However, you must keep in mind that all data within the device will be deleted, including photos, video/audio files, phone numbers (stored within the device, not the SIM card), SMS messages, and so forth. In other words, the device will be restored to its primal state.

You can also restore the basic system settings and/or simply network settings as well.

Go to "Settings", scroll down until you see "About phone" and tap it.

Scroll down until you see "Reset" and tap it. Now choose the action you want to perform:
"Reset settings" - restore all system settings to default;
"Reset network settings" - restore all network-related settings to default;
"Factory data reset" - reset the entire system and completely delete all stored data;

[Back to Table of Contents]

Disable applications that have administrator privileges:

If a malicious application gets administrator-level privileges it can seriously damage the system. To keep the device as safe as possible you should always check what apps have such privileges and disable the ones that shouldn't.

Go to "Settings", scroll down until you see "Lock screen and security" and tap it.

Scroll down until you see "Other security settings", tap it and then tap "Device admin apps".

Identify applications that should not have administrator privileges, tap them and then tap "DEACTIVATE".

Frequently Asked Questions (FAQ)

My device is infected with Delivery RAT malware, should I format my storage device to get rid of it?

You can remove DeliveryRAT by formatting the device, but this will erase all your data. As a safer alternative, use a trusted security app like Combo Cleaner to scan and clean the device without losing information.

What are the biggest issues that malware can cause?

The malware can give attackers remote access, compromise systems, and install additional harmful tools. It may also steal personal information or encrypt files, potentially leading to data loss, financial theft, identity theft, and other serious issues.

What is the purpose of Delivery RAT?

The purpose of DeliveryRAT is to gain full control over an infected Android device in order to steal sensitive information (like SMS, contacts, bank card details, photos, and device identifiers), intercept communications, trick users with fake screens or forms, and carry out remote actions such as sending messages or performing network attacks.

How did Delivery RAT infiltrate my device?

Malware can spread through malicious links or attachments in messages or emails, fake ads or pop-ups on suspicious websites, and fraudulent websites or third-party app stores that trick users into installing infected apps. It can also be delivered by exploiting software vulnerabilities.

Will Combo Cleaner protect me from malware?

Combo Cleaner can detect and remove most malware, but sophisticated threats may hide deep within the system. To ensure all components are eliminated, users should perform a full device scan.