Trojans Infect System Processes
Tuesday, September 27, 2016 @ 02:09 PM gHale
Android Trojans continue their growth curve with the capability to infect the processes of applications and then downloading their own plug-ins, researchers said
The Xiny malware family can infiltrate the processes of system applications and then download malicious plug-ins into the infected programs, said researchers at Dr.Web.
The threats can end up downloaded and then delete various programs from the compromised systems. That functionality requires root privileges. Once they achieve the required privileges, the Trojans can silently download and install software onto devices, while also displaying advertisements.
The Android.Xiny Trojans ended up discovered in March 2015 and are going out through popular websites, and even official application stores.
These programs have an innovative APK file that can ensure the Trojan cannot end up deleted, Dr.Web researchers said in a blog post.
The updated Android.Xiny Trojans include the ability to inject themselves into system applications, which allows them to launch various malicious plug-ins. One of the threats that includes this functionality is Android.Xiny.60, which extracts several malicious components (/xbin/igpi; /lib/igpld.so; /lib/igpfix.so; and /framework/igpi.jar) from its resource folder and copies them to system directories soon after installation.
The malware uses the igpi module (detected as Android.Xiny.61) to inject the igpld.so library (Android.Xiny.62) into the system application processes of Google Play (com.android.vending) and Google Play Services (com.google.android.gms, co.google.android.gms.persistent). Moreover, the malicious module can inject into Android’s Zygote process, researchers said.
After infecting the Zygote process, Xiny.62 can track the launch of any new applications and can inject the igpi.jar malicious module (Android.Xiny.60) into them. The module is also injected in the system processes of Google Play and Google Play Services applications after they have been infected.
Leave a Reply
You must be logged in to post a comment.