New Android Trojan Steals Data from Messaging Apps Like Facebook, Twitter And Telegram.
A CyberSecurity firm Trustlook labs found a Trojan which obfuscates its configuration file and part of its modules.
The purpose of the content/file obfuscation is to avoid detection to steal data from messaging apps remotely. The malware has capabilities to modify the “/system/etc/install-recovery.sh” file in order to start at every boot, thus making sure that it can extract instant messaging data even if the device is restarted.
The malware collects information from the following apps:
- Tencent WeChat
- Voxer Walkie Talkie Messenger
- Telegram Messenger
- Gruveo Magic Call
- TalkBox Voice Messenger
- Facebook Messenger
The Malware has chinese name and uses the anti-emulator and debugger detection techniques to evade dynamic analysis. The Malware attempts to hide the strings to avoid being detected.
The malware also includes some modules in its Assets folder, and all the modules are encrypted.
|Screenshot by TrustLook|
Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software.