Security researchers have found a new Android malware strain that has been designed to steal data from mobile instant messaging clients.
This new trojan is quite simple in its design, researcher from cyber-security firm Trustlook said in a report published on Monday.
Trojan has only a handful of features
The trojan has only a few abilities. The first is to gain boot persistence by unpacking code from an infected app’s resources. The code will attempt to modify the “/system/etc/install-recovery.sh” file, which if successful, would allow the malware execute with every boot.
Second, the malware can extract data from the following Android IM clients, data that it will later upload to a remote server. The malware retrieves the IP of this server from a local configuration file.
Voxer Walkie Talkie Messenger
Gruveo Magic Call
TalkBox Voice Messenger
Researchers spotted the malware inside a Chinese app named Cloud Module (in Chinese), with the package name com.android.boxa.
Simple features, but advanced evasion techniques
Trustlook researchers say that despite the singular focus on stealing IM data, the malware uses a few advanced evasion techniques. For example, the malware uses anti-emulator and debugger detection techniques to evade dynamic analysis, and also hides strings inside its source code to thwart lackadaisical code reversing attempts.
It is strange that Android malware only comes with one single functionality, that to extract and exfiltrate IM data. A theory for this design choice would be that attackers are collecting private conversations, images, and videos, in an attempt to identify sensitive data that they could later leverage in extortion attempts, especially against high-profile victims.
Researchers have not shared any info on the malware’s distribution methods, but taking into account that the malware has a Chinese name and that there’s no Play Store in China, the malware’s authors may be distributing the malicious app via third-party stores and links on Android app forums.