"Dual Instance" malware spotted targeting Chinese users

Oct 19, 2016 23:15 GMT  ·  By

An Android application distributed currently only in China can steal a user's Twitter credentials and uploads them to an online server.

The malware's name is "Dual Instance," nicknamed this way after a feature found in most social media apps today that allow users to log in with multiple accounts.

Because the Chinese government blocks Twitter in China, users who want to use the social network have to find other "means" to connect to the service.

Since not everyone is tech-savvy enough to install a VPN and then download and install the official Twitter Android app, malware authors are exploiting this to their advantage.

"Dual Instance" Twitter app spread via Chinese forums

Security researchers from Avast say they've discovered a variation of the official Twitter Android app, spread in China via online forums.

The app's maker tells users they can install his app and access Twitter, despite the national ban. To get a leg up on his competitors, who are also offering cloned Twitter apps, the author says that users can also run multiple accounts at the same time.

Avast researchers say that this app, which also uses the official "Twitter" name, secretly logs username and password data entered inside the app's login field.

The app works by starting a VPN connection to Twitter servers when the user starts the fake Twitter app. The VPN allows the app to retrieve Twitter content and bypass China's state-sanctioned firewall.

Malicious app uses sandboxed environments to suppport dual accounts

Avast says that this app is not a pure clone of the official Twitter app, and as such, cannot support multiple accounts by default. To deliver on the promised behavior, the app also includes VirtualCore, an open-source framework that allows developers to create small virtual machines (sandboxes) in which to run another Android app.

Both the original app and the VirtualCore-based instances include functions that record whatever the user types in his username and password field when setting up the app and its various accounts.

The app then sends this data to the Android logcat service, from where the Dual Instance malware retrieves the username and passwords, and uploads them to a remote server.

Non-Chinese users should fear the malware as well

Technically, the malicious behavior is app agnostic, and could, in theory, be ported to other apps that need dual instance behavior.

While currently targeting Chinese users, the rest of Android users should also be very, very careful. While Twitter or Instagram provide support for dual accounts, there are many other apps that don't.

Searching the Google Play Store, you can find tens of apps that provide dual account support for popular apps that don't have this feature by default. Malware authors will find a fertile ground from where to harvest user credentials, if they find a way around Google's app review process.

Play store offering dual account support" alt="Apps on Google Play Store offering dual account support" />
Apps on Google Play Store offering dual account support

Photo Gallery (2 Images)

Malware steals user credentials via fake Twitter app
Apps on Google Play Store offering dual account support
Open gallery