14 DAY TRIAL // Security researchers from mobile security vendor Lookout have identified an Android trojan which targets devices with custom ROMs and employs a new trick to execute its payload.
Dubbed jSMSHider, the malware is distributed from alternative Android markets, predominantly in China, and as usual, comes bundled with legit applications.
"To date, we have identified eight separate instances of jSMSHider and because the distribution is limited to alternative app markets targeting Chinese Android users, the severity for this threat is low," the Lookout researchers, note.
"This Trojan, jSMSHider, predominantly affects devices where the owner has downloaded a custom ROM or rooted phone," they add.
Custom ROMs are versions of Android compiled and distributed by third-parties, not the original device manufacturers. One of the most popular custom ROMs is CyanongenMod.
The trojan exploits a loophole in the Android security model where any application signed with the same key as the system image has enhanced permissions and can install and uninstall other apps without requesting for permission.
Since most private keys for custom ROMs are available in the Android Open Source Project (AOSP), it is easy for the trojan's creators to misuse them.
The trojan uses this trick to drop a secondary payload on the ROM which communicates with a remote server. This component can read, send and process SMS messages, install apps, open URLs in the background and exchange encrypted messages with the C&C server.
"In three of the samples found, we saw that if jSMSHider cannot successfully install the secondary payload, it can still send SMS messages and open a URL silently in the background," Lookout warns.
Even though this particular version of the trojan originated in China, it has the ability to go international, like many before it. It also outlines that, as security researchers predicted in the earlier Android days, malware thrives on this platform thanks to its openness.