Security researchers have discovered a new malware for Android that is designed to steal data from messaging applications. The new trojan is very simple in its design, according with a Trustlook researcher.
The trojan as mentioned above has limited capabilities and immediately after entering the system the first thing to do is to gain control over the boot of the device by unpacking its code from the infected application that brought it to the system.
The code will try to modify the "/system/etc/install-recovery.sh" file, which allows malware to run after each boot.
Immediately after the malware starts searching for your data from the following messaging applications:
It uploads all the data it collects to a remote server. The malware has stored the address IP of the server in a configuration file that it stores locally on the victim's device.
Researchers have discovered malware in an application called Cloud Module (in Chinese), which has the com.android.boxa package name.
Trustlook researchers report that despite the malware doing nothing more than stealing data from local instant messaging apps, it reportedly uses very advanced techniques that make it nearly invisible. For example, it uses anti-emulator detection techniques and debugger to avoid some dynamic analysis and inside its code it hides strings to reverse failed attempts to reverse the malicious code.
So it is quite strange that this particular Android malware has only one function, namely the extreatment and removing data from messaging apps.
One theory for this choice of the developers could be that the attackers simply collect private conversations, images and video, to locate sensitive data that they can use to blackmail their victims, especially if they are high-profile.
Researchers did not report any additional information about malware distribution methods, but considering that malware has a Chinese name and that it does not exist in a Store, its creators may distribute it via a third-party store or with links posted to some Android forum.