Android Trojan Stealing User’s Messenger App Information

37,677

Researchers at cyber-security firm Trustlook Labs have discovered an Android trojan which, once installed, can execute its malicious software every time a device is loaded up, and steal data from some of the most popular Android apps.

The malware’s module attempts to modify the “/system/etc/install-recovery.sh” file to maintain persistence on the device. The malware’s primary goal is to steal the user’s messenger app information.

The most alarming aspect of the malware is it can extract data from a number of popular messaging and social media apps. Popular apps that are affected include Facebook Messenger, Twitter, Skype, Telegram, Weibo and Line.

The company said:

“Trustlook Labs has discovered a Trojan which obfuscates its configuration file and part of its modules. “The purpose of the content/file obfuscation is to avoid detection.”

They added:

“Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software.”

The current list of apps the Android malware strain can reportedly steal data from is:

  • Facebook Messenger
  • Skype
  • Telegram
  • Twitter
  • WeChat
  • Weibo
  • Viber
  • Line
  • Coco
  • BeeTalk
  • Momo
  • Voxer Walkie Talkie Messenger
  • Gruveo Magic Call
  • TalkBox Voice Messenger

Trustlook researchers spotted the malware inside a Chinese app called Cloud Module, with the package name listed as com.android.boxa.

Despite the simplistic design, it uses a number of techniques to evade detection. It obfuscates its configuration file and part of its modules to avoid detection which makes it hard for anti-virus software to find. It also uses anti-emulator and debugger detection techniques to evade dynamic analysis.

It also hides strings to avoid being detected. For example, strings are stored in arrays and are XOR encrypted with 24 to get the real strings. The configuration file contains the C&C server and other values that the malware uses to contact its controller.

The researchers did not divulge how the malware was distributed, but given the malware had a Chinese name and Google Play Store does not operate in China, it may be distributed via third-party stores.

 

Via Trustlook

This site uses cookies, tokens, and other third party scripts to recognize visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.

 

By continuing to use our site or clicking Agree, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalized ads and other purposes, as described more fully in our privacy policy.

 

You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.

 

Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies are necessary for the website to function and enable essential services and functonality, including identify verification, service continuity and site security. Opt out is not availabe.

Essential Session management cookies for logged in users
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

For perfomance reasons we use Cloudflare as a CDN network. This saves a cookie "__cfduid" to apply security settings on a per-client basis. This cookie is strictly necessary for Cloudflare's security features and cannot be turned off.
  • __cfduid

We use WooCommerce as a shopping system. For cart and order processing 2 cookies will be stored. This cookies are strictly necessary and can not be turned off.
  • woocommerce_cart_hash
  • woocommerce_items_in_cart

Used by Spamshield to stop spam signups
  • _wpss_h_
  • _wpss_p_

Decline all Services
Accept all Services