Other instant messaging apps also targeted by malware. Researchers have discovered a new type of Android malware that steals data from instant messaging apps on Android devices.
Researchers have discovered a new type of Android malware that steals data from instant messaging apps on Android devices.
According to a blog post by TrustLook, the unnamed Trojan is described as simple but with a few tricks up its sleeve.
The malware's module attempts to modify the “/system/etc/install-recovery.sh” file to maintain persistence on the device. The malware's primary goal is to steal the user's messenger app information. Among the apps targeted are; Tencent WeChat, Weibo, Voxer Walkie Talkie Messenger, Telegram Messenger, Gruveo Magic Call, Twitter, Line, Coco, BeeTalk, TalkBox Voice Messenger, Viber, Momo, Facebook Messenger, and Skype.
The malware was initially found in a Chinese app called Cloud Module with the package name com.android.boxa. Despite the simplistic design, it uses a number of techniques to evade detection. It obfuscates its configuration file and part of its modules to avoid detection which makes it hard for anti-virus software to find. It also uses anti-emulator and debugger detection techniques to evade dynamic analysis.
It also hides strings to avoid being detected. For example, the following strings are stored in arrays and are XOR encrypted with 24 to get the real strings. The configuration file contains the C&C server and other values that the malware uses to contact its controller.
“Code obfuscation/hiding increases the malware author's ability to avoid detection and becomes a sophisticated challenge to anti-virus software,” said the researchers.
The researchers did not divulge how the malware was distributed, but given the malware had a Chinese name and Google Play Store does not operate in China, it may be distributed via third-party stores.