A Trojan with Hidden Malicious Code Steals User’s Messenger App Information
(Apr 2, 2018)
TrustLook Labs researchers have discovered an Android trojan that is capable of stealing information from a device’s installed messaging applications. The malware is distributed via malicious Chinese applications called “Cloud Module” (in Chinese) that has the package name “com.android.boxa.” The malware gains persistence by attempting to modify the “/system/etc/install-recovery.sh” file that can allow the trojan to execute every time the device boots. While the malware is capable of stealing information from 14 different messaging applications, the most interesting feature of the trojan is the sophisticated evasion techniques via an anti-emulator and debugger detection techniques.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.