Security researchers have discovered a new Android malware designed to steal data from anti-virus appschangeof messages. The new trojan is very simple in its design, according with a Trustlook researcher.
The trojan as mentioned above has limited capabilities and immediately after entering the system the first thing to do is to gain control over the boot of the device by unpacking its code from the infected application that brought it to the system.
The code will attempt to modify the file “/system/etc/install-recovery.sh”, which allows the malware to run after every boot.
Right after the malicious software starts looking for your data from the following messaging apps:
All the data it collects uploads to a remote server. The malware has the server's IP address stored in a configuration file that stores it locally on the victim's device.
The researchers discovered the malware in an app called Cloud Module (in Chinese), which is named after it packetu com.android.boxa.
Trustlook researchers report that despite the fact that malware does nothing but theft of data from local instant messaging applications, it is allegedly using very advanced techniques that make it almost invisible. For example, it uses anti-emulator and debugger detection techniques to avoid some dynamic analysis, and within its code hiding strings to overturn failed attempts to reverse the malicious code.
So it is quite strange that this malware for Android has only one function, namely the extraction and removal of data from messaging applications.
A theory about this choice of developers could be that intruders simply collect private conversations, images and videos to identify sensitive data they can use to blackmail their victims, especially if they are high profile.
Researchers did not report any additional information about malware distribution methods, but considering that malware has a Chinese name and that it does not exist in a Store, its creators may distribute it via a third-party store or with links posted to some Android forum.