Researchers at cyber-security firm Trustlook Labs have discovered an Android trojan which, once installed, can execute its malicious software every time a device is loaded up, and steal data from some of the most popular Android apps.
The malware’s module attempts to modify the “/system/etc/install-recovery.sh” file to maintain persistence on the device. The malware’s primary goal is to steal the user’s messenger app information.
The most alarming aspect of the malware is it can extract data from a number of popular messaging and social media apps. Popular apps that are affected include Facebook Messenger, Twitter, Skype, Telegram, Weibo and Line.
The company said:
“Trustlook Labs has discovered a Trojan which obfuscates its configuration file and part of its modules. “The purpose of the content/file obfuscation is to avoid detection.”
“Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software.”
The current list of apps the Android malware strain can reportedly steal data from is:
- Facebook Messenger
- Voxer Walkie Talkie Messenger
- Gruveo Magic Call
- TalkBox Voice Messenger
Trustlook researchers spotted the malware inside a Chinese app called Cloud Module, with the package name listed as com.android.boxa.
Despite the simplistic design, it uses a number of techniques to evade detection. It obfuscates its configuration file and part of its modules to avoid detection which makes it hard for anti-virus software to find. It also uses anti-emulator and debugger detection techniques to evade dynamic analysis.
It also hides strings to avoid being detected. For example, strings are stored in arrays and are XOR encrypted with 24 to get the real strings. The configuration file contains the C&C server and other values that the malware uses to contact its controller.
The researchers did not divulge how the malware was distributed, but given the malware had a Chinese name and Google Play Store does not operate in China, it may be distributed via third-party stores.