A new Android Trojan could be stealing your data through mobile instant messaging apps such as Facebook Messenger, Twitter, Skype and other IM clients.
This malware was detected by security researchers from Trustlook, a cyber-security firm. A report published on Monday describes the new trojan as a simple one with few abilities.
After infecting the app, the trojan tries to modify the “/system/etc/install-recovery.sh” file to enable its execution, each time the app is opened.
It seems that the primary purpose of this malware is to steal data from messaging apps, which is later uploaded to a remote server. The trojan retrieves the IP of this server from a local configuration file.
Here’s the list of apps that could be affected by this malware:
- Facebook Messenger
- Telegram Messenger
- Tencent WeChat
- Voxer Walkie Talkie Messenger
- Gruveo Magic Call
- TalkBox Voice Messenger
Although it has a simple design and singular focus on extracting IM data, this malware uses some advanced evasion techniques.
According to Trustlook Labs, this Trojan obfuscates its configuration file and part of its modules to avoid detection which makes it difficult for anti-virus software to spot its presence.
It uses anti-emulator and debugger detection techniques to evade dynamic analysis and is capable of hiding strings inside its source code to prevent any code reversing attempts.
Since the Android Trojan has a single objective (to steal data), it is quite possible that its authors are trying to collect sensitive data through private conversations, images, and videos that could be used later for extortion.
Though it is not clear on how this malware gets distributed, Trustlab researchers spotted this malware inside a Chinese app named Cloud Module with the package name com.android.boxa.
Given that the malware has a Chinese name and unavailability of Play Store in China, the malware coders are probably spreading this infectious app through links on Android app forums or third-party app stores.