Android Trojan Steals Info from Messenger, Skype, Twitter & More

Windows Articles

How to get the Nextcloud desktop client on Linux?

Hello friends. We already know how to install a Nextcloud server but now the client is missing. So in this post, you...

How to Backup your call and SMS history in Android

Many times we find ourselves in the situation of having to change our phone, for different reasons, and one of the questions...

Install and configure Apache Guacamole on Debian 10

Hello, friends in this post, you will learn how to install and configure Apache Guacamole in Debian 10. It will be a...

Ubuntu 20.10 available

The new version of Ubuntu is now available, under the code name "groovy gorilla". Ubuntu 20.10 focuses on improving and refining the...

Monitoring Ubuntu 20.04 with Stacer

Normally if we use Linux on a production server, it is important to monitor it. On the other hand, in everyday use, many users...
Mel Khamlichi
Mel Khamlichihttp://www.osradar.com
Founder of Osradar, from Amsterdam Netherlands

Android is the most popular operating system for smart devices. As Android is open-source, powerful yet flexible, smartphone manufacturers always choose it as their devices’ OS. Due to the immense popularity, hackers also target Android system for hacking. Recently, a new Android Trojan was identified that extracts information from other apps like Messenger, Twitter, Skype, WeChat, Viber, Line etc.

According to security researchers from Trustlook, the Trojan is quite simple in design but uses an advanced method to hide from the system and other defenses.

How the Android Trojan works

The Trojan gains access to boot persistence and executes itself at every boot. At first, the malware unpacks the malicious code from the app’s resources. Then, it tries to modify a bash file at “/system/etc/install-recovery.sh”. If the modification is successful, it allows the malware to run at every boot.

Then, its task is to extract the data from the IM clients. The most popular ones are already mentioned above. The complete list of vulnerable IM clients can be found here. After collecting the information, the malware sends the data to a remote server. The server’s IP address is loaded from a pre-configured file.

This malware was identified inside a Chinese app named “Cloud Module” (in Chinese). The package was named “com.android.boxa”.

Evasion techniques

According to the researchers of Trustlook, despite simple workflow of the Android Trojan (running persistently, extracting info and uploading to remote server), it’s quite efficient in hiding itself. For example, it implements anti-emulator & debugger detection that allows avoiding dynamic analysis. Moreover, it hides strings inside its source code for protection against thwart lackadaisical code reversing.

The method of workflow tells that the attacker is collecting personal information (chat, images or videos) for using later in extortion attempts or blackmailing from the high-profile victims. Researchers didn’t share any information how the malware spreads itself. However, as there’s no Play Store in China, the culprits are most likely spreading the malware via 3rd-party app stores and Android app forums.

There are also other attempts from Chinese vendors that shipped Android smartphones with built-in Trojan! Learn more about the pre-installed Trojan on the Android smartphones.

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How to get the Nextcloud desktop client on Linux?

Hello friends. We already know how to install a Nextcloud server but now the client is missing. So in this post, you...

How to Backup your call and SMS history in Android

Many times we find ourselves in the situation of having to change our phone, for different reasons, and one of the questions...

Install and configure Apache Guacamole on Debian 10

Hello, friends in this post, you will learn how to install and configure Apache Guacamole in Debian 10. It will be a...

Ubuntu 20.10 available

The new version of Ubuntu is now available, under the code name "groovy gorilla". Ubuntu 20.10 focuses on improving and refining the...

Monitoring Ubuntu 20.04 with Stacer

Normally if we use Linux on a production server, it is important to monitor it. On the other hand, in everyday use, many users...
x