Security researchers have discovered a new malware for Android that is designed to steal data from messaging applications. The new trojan is very simple in its design, according with a Trustlook researcher.
The trojan as we mentioned above has limited capabilities and immediately after entering the system the first thing it does is gain control over the boot of the device by extracting its code from the infected one application who brought it into the system.
The code will try to modify the "/system/etc/install-recovery.sh" file, which allows malware to run after each boot.
Immediately after the malware starts searching for your data from the following messaging applications:
All the data it collects uploads to a remote server. The malware has the server's IP address stored in a configuration file that stores it locally on the victim's device.
Researchers have discovered malware in an application called Cloud Module (in Chinese), which has the com.android.boxa package name.
Trustlook researchers report that despite the malware doing nothing more than stealing data from local instant messaging apps, it reportedly uses very advanced techniques that make it nearly invisible. For example, it uses anti-emulator detection techniques and debugger to avoid some dynamic analysis and inside its code it hides strings to reverse failed attempts to reverse the malicious code.
So it is quite strange that this malware for Android has only one function, namely the extraction and removal of data from messaging applications.
One theory for this choice of the developers could be that the attackers are simply collecting private conversations, pictures and videos, to locate sensitive data they can use to blackmail their victims, especially if they are high-profile.
Researchers did not report any additional information about malware distribution methods, but considering that malware has a Chinese name and that it does not exist in a Store, its creators may distribute it via a third-party store or with links posted to some Android forum.
