Android Trojan Steals Data From Facebook Messenger, Skype, Other IM Clients

Security researchers have found a new Android malware strain that has been designed to steal data from mobile instant messaging clients.

This new trojan is quite simple in its design, researcher from cyber-security firm Trustlook said in a report published on Monday.

Trojan has only a handful of features
The trojan has only a few abilities. The first is to gain boot persistence by unpacking code from an infected app’s resources. The code will attempt to modify the “/system/etc/install-recovery.sh” file, which if successful, would allow the malware execute with every boot.

Second, the malware can extract data from the following Android IM clients, data that it will later upload to a remote server. The malware retrieves the IP of this server from a local configuration file.


Facebook Messenger
Skype
Telegram
Twitter
WeChat
Weibo
Viber
Line
Coco
BeeTalk
Momo
Voxer Walkie Talkie Messenger
Gruveo Magic Call
TalkBox Voice Messenger


Researchers spotted the malware inside a Chinese app named Cloud Module (in Chinese), with the package name com.android.boxa.

Simple features, but advanced evasion techniques
Trustlook researchers say that despite the singular focus on stealing IM data, the malware uses a few advanced evasion techniques. For example, the malware uses anti-emulator and debugger detection techniques to evade dynamic analysis, and also hides strings inside its source code to thwart lackadaisical code reversing attempts.

It is strange that Android malware only comes with one single functionality, that to extract and exfiltrate IM data. A theory for this design choice would be that attackers are collecting private conversations, images, and videos, in an attempt to identify sensitive data that they could later leverage in extortion attempts, especially against high-profile victims.

Researchers have not shared any info on the malware’s distribution methods, but taking into account that the malware has a Chinese name and that there’s no Play Store in China, the malware’s authors may be distributing the malicious app via third-party stores and links on Android app forums.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s