Researchers Alarmed Over Aggressive Android Malware That Steals Private Messages
In April this year, Cyber-security company Trustlook has detected a new Android malware threat that could potentially put users' privacy at risk. The new Trojan has been specifically designed to attack Instant Messaging services on the Internet and to steal private conversations from applications like Skype, Viber, Twitter, Facebook Messenger, Telegram, and many others. A full list of the apps affected by the new malware has been provided by Trustlook on their website. Also, the app through which the malware is distributed has been identified as "Cloud Module" in Chinese, while the name of the malicious package is "com.android.baxa."
The malware has an overall simple architecture, yet it implements code obfuscation techniques for its configuration file and for some of is modules in order to avoid detection. In particular, it is capable of bypassing dynamic analysis through anti-emulator and debugger detection techniques, even though most security solutions for Android should be able to detect the Trojan. It can also block any code reversing attempts by hiding strings inside its source code.
Apart from the detection evasion capabilities, Cloud Module also has the ability to modify the "system/etc/install-recovery.sh" file so that the malicious code executes at every boot of the infected device, ensuring that the malware's functionalities will not be affected after a restart. Once the malware penetrates the targeted Android device, it starts scanning for conversation within the above-mentioned IM apps. As soon as any relevant data is found, it is extracted and sent over to a remote server controlled by the attackers. This new Android Trojan is also able to operate without receiving any additional commands from its author as the IP address of the attackers' remote server is contained within the malware's configuration file.
The researchers claim that, so far, Cloud Module is spreading mostly in China. The good news is that the malware-laced application has not managed to sneak into the official Google Play Store yet as the authors have, most likely, intended to distribute it through email campaigns and downloads from third-party hosting sites. Probably, the main purpose of the attackers has been to collect private and sensitive data like images, conversations, and videos with the intention of using these for extortion at some later point in time.
Users who download Instant Messaging apps only from Google Play store should feel safe from this particular threat. However, those who have installed such apps from other untrusty sources should check whether their device is clean. Reliable and up-to-date security software should also to able to prevent possible infection with this new type of Android malware.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.