Android IM apps

Security researchers have found a new Android malware strain that has been designed to steal data from mobile instant messaging clients.

This new trojan is quite simple in its design, researcher from cyber-security firm Trustlook said in a report published on Monday.

Trojan has only a handful of features

The trojan has only a few abilities. The first is to gain boot persistence by unpacking code from an infected app's resources. The code will attempt to modify the "/system/etc/install-recovery.sh" file, which if successful, would allow the malware execute with every boot.

Second, the malware can extract data from the following Android IM clients, data that it will later upload to a remote server. The malware retrieves the IP of this server from a local configuration file.

Facebook Messenger
Skype
Telegram
Twitter
WeChat
Weibo
Viber
Line
Coco
BeeTalk
Momo
Voxer Walkie Talkie Messenger
Gruveo Magic Call
TalkBox Voice Messenger

Researchers spotted the malware inside a Chinese app named Cloud Module (in Chinese), with the package name com.android.boxa.

Simple features, but advanced evasion techniques

Trustlook researchers say that despite the singular focus on stealing IM data, the malware uses a few advanced evasion techniques. For example, the malware uses anti-emulator and debugger detection techniques to evade dynamic analysis, and also hides strings inside its source code to thwart lackadaisical code reversing attempts.

It is strange that Android malware only comes with one single functionality, that to extract and exfiltrate IM data. A theory for this design choice would be that attackers are collecting private conversations, images, and videos, in an attempt to identify sensitive data that they could later leverage in extortion attempts, especially against high-profile victims.

Researchers have not shared any info on the malware's distribution methods, but taking into account that the malware has a Chinese name and that there's no Play Store in China, the malware's authors may be distributing the malicious app via third-party stores and links on Android app forums.

Related Articles:

World Police Shut Down Andromeda (Gamarue) Botnet

New Android Triout Malware Can Record Phone Calls, Steal Pictures

Vulnerabilities Found in the Firmware of 25 Android Smartphone Models

Android Apps Infected With Windows Keylogger Removed From Google Play Store

Source Code for Exobot Android Banking Trojan Leaked Online