Security researchers have discovered a new malware for Android that is designed to steal data from messaging applications. The new trojan is very simple in its design, according with a Trustlook researcher.
The trojan as mentioned above has limited capabilities and immediately after entering the system the first thing to do is to gain control over the boot of the device by unpacking its code from the infected application that brought it to the system.
The code will try to modify the archive “/system/etc/install-recovery.sh”, which allows the malware to run after every boot.
Immediately after the malware starts searching for your data from the following messaging applications:
All the data it collects uploads to a remote server. The malware has the server's IP address stored in a configuration file that stores it locally on the victim's device.
Researchers discovered the malware in an app called Cloud Module (in Chinese), which looks like name package com.android.boxa.
Trustlook researchers report that despite the malware doing nothing more than stealing data from local instant messaging apps, it reportedly uses very advanced techniques that make it nearly invisible. For example, it uses anti-emulator and debugger to avoid some dynamic analysis and hides strings inside its code to reverse failed attempts to reverse the malicious code.
So it is quite strange that this malware for Android has only one function, namely the extraction and removal of data from messaging applications.
A theory for this choice of developers it could be that attackers simply collect private conversations, images and videos, to find sensitive data that they can use to blackmail their victims, especially if they are high-profile.
Researchers did not report any additional information about malware distribution methods, but considering that malware has a Chinese name and that it does not exist in a Store, its creators may distribute it via a third-party store or with links posted to some Android forum.