A new Android Trojan has been identified by researchers from Trustlook Labs, a cybersecurity firm. This Android Trojan was caught stealing data from almost all the mainstream Instant Messaging clients for mobile.
Based on the blog post by the researchers from Trustlook Labs, the Android Trojan can hide its configuration file effectively as well as a couple of its modules to dodge detection. The researchers’ report published on Monday noted that this malware is actually not as sophisticated as the ones that were discovered before it and it also only have a handful of capabilities.
The Android Trojan’s main goal is to collect sensitive data about the users from the instant messaging apps and IM clients. The moment the malware has taken over a certain instant messaging app or IM client, it will modify the file named “/system/etc/install-recovery.sh”. After that, it will enable the file to be executed whenever the infected app is opened. And since this malware uses both the debugger and anti-emulator detection methods to evade dynamic analysis and hide the strings, it’s hard for devices’ security programs to detect it. Aside from that, it also adds a couple of its modules to its Assets folder where all the modules are in an encrypted format. The Trojan uses the first byte of the module to XOR for data encryption in some of its modules like “coso”, “dmnso”, “sx” and “sy”. Let’s say, the original “coso” module from the Assets folder is converted an ELF module after the decryption. All the data about the Android Trojan’s Command and Control or C&C server as well as its other properties are stored into the configuration file – the malware accesses this file every time it has to communicate with the crooks behind it. It then transfers the stolen data from the infected device to a remote server.
The malware has a quite simple and up-front design along with a one-directional approach in its attack. On the other hand, its evasion techniques seem to be of an advanced kind since antivirus programs have a hard time detecting it from infected devices.
Since the main intent of this Android Trojan is stealing sensitive data, it’s pretty clear that the cyber crooks who control this malware need to gather sensitive information passed on in between private conversations from these instant messaging apps and clients. This also includes exchanged images, videos and other files that could be used for extortion.
At the time of writing, it isn’t yet known what kind of distribution method the crooks behind this malware is using but according to the Trustlook Labs researchers, the Android Trojan was discovered in a Chinese app known as Cloud Module while the package named “com.android.boxa” is where the malware is contained. In addition, it is most likely that third-party app stores are also responsible in spreading this malware which is why it is advised time and time again that such shady app stores must be avoided at all costs as the apps from these sources could be infected with some malware.
Here is a list of apps targeted by the Android Trojan:
- Magic Call
- Telegram Messenger
- Facebook Messenger
- Voxer Walkie-Talkie Messenger
- TalkBox Voice Messenger