CarbonSteal
The CarbonSteal Android malware was first identified in 2018 while cybersecurity experts were analyzing another Android implant, and the network infrastructure used to control it. The newly discovered CarbonSteal was quickly dissected to reveal a sophisticated malware implant that shared similarities with other Android malware active in the Chinese region – DoubleAgent and SilkBean.
Malware researchers were able to recover and analyze several samples of CarbonSteal. There were clear differences between their structure and features – a sure sign that the campaign was ongoing, and that the payload was receiving regular updates. Some of the active samples had very advanced features meant to make them difficult to detect, as well as to grant them persistence on infected devices – for example, CarbonSteal's modules were often split into several Android Packages (APKs) that were initialized one-by-one after the initial infection was successful. Another notable feature that few Android malware families have is CarbonSteal's ability to run even if a WiFi or mobile internet connection is not available – some of CarbonSteal's features could be operated via text messages and calls coming from a specific number (configured by the malware operator).
CarbonSteal can be Used for Data-Theft and Long-Term Monitoring
The primary purposes of CarbonSteal appear to be spying on users and stealing potentially sensitive files from their device. Some of the implant's primary features allow it to:
- Collect call logs.
- Monitor and steal SMS or MS messages.
- Gather hardware information about the device's disk and CPU.
- Collect software information such as Android version, installed applications, running applications, and configuration.
- Collect files used by popular Chinese applications such as QQ (messaging application) and MiCode (note-keeping application.)
- Use the GPS sensor to track the device's location.
- Record conversations, or environmental audio via the microphone.
The CarbonSteal implant was found almost exclusively in fake copies of popular applications in China – VPN clients, games, chat applications, Android configurators, and adult games were some of the primary themes used to propagate the CarbonSteal malware.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.