Researchers at cyber-security firm Trustlook Labs have identified new Android Trojan that is stealing data from all mainstream instant messaging apps for mobile. The list of targeted apps is available below:
Twitter
Skype
Viber
Weibo
Line
Coco
BeeTalk
Tencent WeChat
Gruveo Magic Call
Telegram Messenger
Facebook Messenger
Voxer Walkie-Talkie Messenger
TalkBox Voice Messenger Momo
According to researchers’ blog post, the malware can effectively hide its configuration file and some of its modules to evade detection. In their report, which was published on Monday, researchers noted that this malware is not as sophisticated as those discovered previously and has limited capabilities.
Its main task is to collect sensitive user data from instant messaging apps and IM clients. Once the malware successfully infects an app, it modifies the “/system/etc/install-recovery.sh” file. After this, it enables the file to be executed every time the infected app is opened.
The Trojan uses anti-emulator and debugger detection methods for evading dynamic analysis and hiding the strings. It also adds some of its modules to its Assets folder while all modules are in encrypted format. In some modules such as “sx”, “sy”, “coso”, “dmnso”, the malware uses the first byte of the module to XOR for data decryption.
For instance, the original “coso” module in the Assets folder is converted into an ELF module after decryption. The information about malware’s C&C server and other properties is stored in the configuration file. This file is accessed by the malware whenever it has to communicate with the attacker. The stolen data is transferred to a remote server.
It boasts of a very simple and straightforward design with a one-directional attack approach. However, the evasion techniques that it adopts are pretty advanced, which makes it difficult for anti-virus software to detect it.
Given the singular objective of this Android Trojan, which is to steal data, it becomes apparent that the controllers of malware need to collect sensitive data exchanged during private conversations. This may include images and videos too as such data can be used for extortion.
The malware’s distribution method is yet unknown to the researchers. According to Trustlook Labs, the malware was discovered in Cloud Module, a Chinese app, while the package that contained the malware was identified to be com.android.boxa.
New Android Malware Stealing Data from Popular Messenger Apps