Android is the most popular operating system for smart devices. As Android is open-source, powerful yet flexible, smartphone manufacturers always choose it as their devices’ OS. Due to the immense popularity, hackers also target Android system for hacking. Recently, a new Android Trojan was identified that extracts information from other apps like Messenger, Twitter, Skype, WeChat, Viber, Line etc.
According to security researchers from Trustlook, the Trojan is quite simple in design but uses an advanced method to hide from the system and other defenses.
How the Android Trojan works
The Trojan gains access to boot persistence and executes itself at every boot. At first, the malware unpacks the malicious code from the app’s resources. Then, it tries to modify a bash file at “/system/etc/install-recovery.sh”. If the modification is successful, it allows the malware to run at every boot.
Then, its task is to extract the data from the IM clients. The most popular ones are already mentioned above. The complete list of vulnerable IM clients can be found here. After collecting the information, the malware sends the data to a remote server. The server’s IP address is loaded from a pre-configured file.
This malware was identified inside a Chinese app named “Cloud Module” (in Chinese). The package was named “com.android.boxa”.
Evasion techniques
According to the researchers of Trustlook, despite simple workflow of the Android Trojan (running persistently, extracting info and uploading to remote server), it’s quite efficient in hiding itself. For example, it implements anti-emulator & debugger detection that allows avoiding dynamic analysis. Moreover, it hides strings inside its source code for protection against thwart lackadaisical code reversing.
The method of workflow tells that the attacker is collecting personal information (chat, images or videos) for using later in extortion attempts or blackmailing from the high-profile victims. Researchers didn’t share any information how the malware spreads itself. However, as there’s no Play Store in China, the culprits are most likely spreading the malware via 3rd-party app stores and Android app forums.
There are also other attempts from Chinese vendors that shipped Android smartphones with built-in Trojan! Learn more about the pre-installed Trojan on the Android smartphones.
