The main functionality of the trojan
Security experts discovered a new malware attack that enters Android devices unnoticed and steals personal information typed in various messenger apps. The malicious program is characterized as a simple yet effective virus, capable of hiding its presence in the device efficiently.
To preserve its persistence, the trojan tries to alter the “/system/etc/install-recovery.sh” file on the targeted device. If the modification is successful, the virus is enabled with every device boot-up.
It seems like the primary goal of malware is to steal the information from all messengers installed on the device and later send it to a remote server. The IP address of the mentioned server is recovered from a local config file.
The virus is capable of stealing information from the following applications:
- Facebook Messanger
- Telegram Messenger
- Tencent WeChat
- Walkie Talkie Messenger, etc.
As evident, all the most popular messengers are affected, in order to extract as much data as possible from all over the world.
Obfuscated configuration hinders malware’s detection
Despite its primitive functionality, it has been noticed that the virus uses sophisticated approach when it comes to its detection evasion. Security software typically fails to detect the threat, as it obfuscates its configuration file and a chunk of its modules. Dynamic analysis is also hard to execute as malware uses anti-emulator and debugger capabilities.
Security researchers noted that malware is hiding its strings inside its source code in order to not get exposed. C&C server and other values are contained in a configuration file which helps the virus to communicate with its controller.
The malware was first found in a Chinese application called Cloud Module and used the package name com.android.boxa. However, because there is no Play Store available in China, it is highly likely that the malicious threat is distributed via third-party websites and Android application sites.
The leaked data might be used for illicit purposes
Even if the data collected might not expose vital information, such as bank account passwords, it can collect other useful information like meeting locations, projects worked on, names, etc. This data can be used to determine organizations goals and tendencies effectively.
Additionally, it can be used for espionage campaigns or to obtain info about certain employees to execute phishing campaigns and infect networks with ransomware or similar cyber threats.
Director of advisory services EMEA of IOActive, Neil Haskins was worried about the way corporations and its employees handle sensitive information:
Many organizations spend time, money and resources on securing email platforms with the latest and greatest technology. They roll out email policy documents and then educate users on appropriate use of emails, forgetting that employees pass just as much info on IM, and in fact, because email is blocking them, they use IM to bypass the email controls. Such is human nature. Couple that with the fact that most people have multiple messaging apps on their laptops, tablets and mobile phones, the attack surface is huge
To avoid unnecessary data leak, we advise Android users to never download applications from third-parties and only use Google Play for that purpose.