Researchers have discovered a new type of Android malware that steals data from instant messaging apps on Android devices.
According to a blog post by TrustLook, the unnamed Trojan is described as simple but with a few tricks up its sleeve.
The malware's module attempts to modify the “/system/etc/install-recovery.sh” file to maintain persistence on the device. The malware's primary goal is to steal the user's messenger app information. Among the apps targeted are; Tencent WeChat, Weibo, Voxer Walkie Talkie Messenger, Telegram Messenger, Gruveo Magic Call, Twitter, Line, Coco, BeeTalk, TalkBox Voice Messenger, Viber, Momo, Facebook Messenger, and Skype.
The malware was initial found in a Chinese app called Cloud Module with the package name com.android.boxa. Despite the simplistic design, it uses a number of techniques to evade detection. It obfuscates its configuration file and part of its modules to avoid detection which makes it hard for anti-virus software to find. It also uses anti-emulator and debugger detection techniques to evade dynamic analysis.
It also hides strings to avoid being detected. For example, the following strings are stored in arrays and are XOR encrypted with 24 to get the real strings. The configuration file contains the C&C server and other values that the malware uses to contact its controller.
“Code obfuscation/hiding increases the malware author's ability to avoid detection and becomes a sophisticated challenge to anti-virus software,” said the researchers.
The researchers did not divulge how the malware was distributed, but given the malware had a Chinese name and Google Play Store does not operate in China, it may be distributed via third-party stores.
Javvad Malik, security advocate at AlienVault, told SC Media UK that messenger apps are prevalent on mobile devices and many corporate users will communicate through these channels. “While there are many benefits and convenience to communicate through such channels, they are often unprotected, outside the monitoring or DLP capabilities of most organisations,” he said.
“Even if sensitive data isn't transferred explicitly, much information can be inferred from messenger apps, such as projects being worked on, meetings, locations, availability and such. Therefore, giving a good insight into the workings of a department.”
Winston Bond, technical director EMEA at Arxan Technologies, told SC Media UK that obfuscation has been normal practice for malware on PCs for a long time, so anti-virus companies are used to detecting it. “Obfuscated code is still code and signature-based malware detection tools should still work. The obfuscation will make malware analysis a more difficult job, though.”
Dr. Andy Lilly, CTO, Armour Comms, told SC Media UK that If malware (or someone that has stolen your phone) wants to access messages, it is sensible to ensure that they are stored encrypted on the phone (i.e. your data-at-rest is protected).
“Plenty of apps worry about encrypting messages between mobiles but don't properly consider protecting that data while it is on a device. (Armour Mobile provides both data-in-transit and data-at-rest protection for its contacts, messages, attachments, chat groups, etc.),” he said.
Neil Haskins, director of advisory services EMEA, IOActive, told SC Media UK that messenger data could be used in corporate espionage campaigns, or to gain information on employees to hone spear phishing campaigns.
“Many organisations spend time, money and resources on securing email platforms with the latest and greatest technology. They roll out email policy documents and then educate users on appropriate use of emails, forgetting that employees pass just as much info on IM, and in fact, because email is blocking them, they use IM to bypass the email controls. Such is human nature. Couple that with the fact that most people have multiple messaging apps on their laptops, tablets and mobile phones, the attack surface is huge,” he said.