Android Malware Blocks Security

Monday, January 4, 2016 @ 06:01 PM gHale

New Android malware can load and operate a firewall binary called DroidWall on compromised devices to prevent security applications from connecting, researchers said.

The Android.Spywaller malware initially behaves like other mobile threats by hiding its icon in an attempt to cover its tracks and by releasing an encrypted payload containing the malware service logic and loading it into memory, said researchers at Symantec.

Trojan Gains Root Access, Hacks Androids
New Tools for Espionage Group
Down, but not Out: Blackhole Returns
Trojan Targets XP Users

As soon as the threat installs on a compromised device, it displays a “Google Service” icon, although the search engine giant doesn’t offer such a product.

The malware then attempts to root the device and start collecting sensitive information while running in the background. All of the information the malware collects from the device then goes to a backend server, Symantec researchers said in a blog post.

While this behavior has been in mobile threats before, Symantec’s researchers said the new malware stands out because of another method discovered in its reverse payload which checks to see if the Qihoo 360 mobile security app is on the device and then blocks it.

The Qihoo 360 application is popular in China and has a unique identifier (UID) on each device, and the malware collects the identifier if the program ends up installed. Next, Android.Spywaller drops and runs the DroidWall firewall binary, a customized version of iptables for Android. This allows it to create firewall rules that will block the targeted security application by referencing its UID.

Developed by Rodrigo Rosauro as an open source app to help users protect their devices, AVAST purchased DroidWall in 2011, but its source code is still available from Google Code and Github.

As of right now, the malware is focusing on users in China.

In addition to blocking Qihoo 360, the malware also attempts to exfiltrate sensitive data from compromised devices, including system-based personally identifying information (PII) such as call logs, SMS, GPS readings, system browser data, emails, radio, images, and contacts.

The spyware is also collecting data belonging to specific third-party communication applications, including BlackBerry Messenger, Oovoo, Coco, QQ, SinaWeibo, Skype, Talkbox, TencentWeibo, Voxer, Wechat, WhatsApp, and Zello.