Android Virus Steals Messages

Tuesday, April 3, 2018 @ 03:04 PM gHale

Attackers always find new ways and with Android devices it just seems to pile up more and more as they are now being targeted by a new type of malware.

The malware focuses on stealing private conversations on IM applications like Facebook Messenger, Skype, Telegram, Twitter, Viber, and others.

RELATED STORIES
Android Clears Critical, High Risk Holes
Pre-Installed Malware on Androids
Upcoming Android Release Hikes Security
Advanced Android Spyware Discovered

The malware, detected by Trustlook, can modify the “/system/etc/install-recovery.sh” file in order to start at every boot, thus making sure it can steal instant messaging data.

The malware right now is spreading in China as package name com.android.boxa. It hasn’t yet reached the Google Play Store, and most likely the malware is supposed to target devices using non-store downloads.

Though it is not clear on how this malware gets distributed, Trustlook researchers spotted this malware inside a Chinese app named Cloud Module, according to a post on FossBytes.

Because the malware has a Chinese name and is not available in the Play Store in China, the malware coders are could be spreading the malware through links on Android app forums or third-party app stores.

Android users who only install apps from the Google Play store should be safe. While Android security solutions could detect the Trojan, Trustlook warned the malware was designed to avoid detection, including anti-emulator and debugger detection techniques that make it possible to bypass dynamic analysis.

“Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software,” Trustlook researchers said in a post.

Once the malware manages to compromise an Android device, it automatically looks for conversations. The data is extracted and then sent to a remote server. The security vendor says the server’s IP address is mentioned in the malware configuration file, allowing the Trojan to operate without any further command send by the author.

Trustlook said the malware collects information from the following apps:
• Tencent WeChat
• Weibo
• Voxer Walkie Talkie Messenger
• Telegram Messenger
• Gruveo Magic Call
• Twitter
• Line
• Coco
• BeeTalk
• TalkBox Voice Messenger
• Viber
• Momo
• Facebook Messenger
• Skype



Leave a Reply

You must be logged in to post a comment.