New Android Malware Stealing Data from Popular Messenger Apps

Almost all Instant Messaging Platforms like Facebook, Twitter, Skype, Line, and Viber Targeted by the malware.

Researchers at cyber-security firm Trustlook Labs have identified new Android Trojan that is stealing data from all mainstream instant messaging apps for mobile. The list of targeted apps is available below:

Twitter
Skype
Viber
Weibo
Line
Coco
BeeTalk
Tencent WeChat
Gruveo Magic Call
Telegram Messenger
Facebook Messenger
Voxer Walkie-Talkie Messenger
TalkBox Voice Messenger Momo

According to researchers’ blog post, the malware can effectively hide its configuration file and some of its modules to evade detection. In their report, which was published on Monday, researchers noted that this malware is not as sophisticated as those discovered previously and has limited capabilities.

Its main task is to collect sensitive user data from instant messaging apps and IM clients. Once the malware successfully infects an app, it modifies the “/system/etc/install-recovery.sh” file. After this, it enables the file to be executed every time the infected app is opened.

More: Facebook collected Android users’ call and SMS logs with “their permission”

The Trojan uses anti-emulator and debugger detection methods for evading dynamic analysis and hiding the strings. It also adds some of its modules to its Assets folder while all modules are in encrypted format. In some modules such as “sx”, “sy”, “coso”, “dmnso”, the malware uses the first byte of the module to XOR for data decryption.

For instance, the original “coso” module in the Assets folder is converted into an ELF module after decryption. The information about malware’s C&C server and other properties is stored in the configuration file. This file is accessed by the malware whenever it has to communicate with the attacker. The stolen data is transferred to a remote server.

It boasts of a very simple and straightforward design with a one-directional attack approach. However, the evasion techniques that it adopts are pretty advanced, which makes it difficult for anti-virus software to detect it.

Given the singular objective of this Android Trojan, which is to steal data, it becomes apparent that the controllers of malware need to collect sensitive data exchanged during private conversations. This may include images and videos too as such data can be used for extortion.

The malware’s distribution method is yet unknown to the researchers. According to Trustlook Labs, the malware was discovered in Cloud Module, a Chinese app, while the package that contained the malware was identified to be com.android.boxa.

It is also possible that third-party app stores are responsible for spreading the infectious app. Therefore, it is advised that Android users should avoid downloading third-party apps, scan the device regularly with an anti-malware and keep its operating system updated.

More: Android malware HenBox hits Xiaomi devices & minority group in China

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.