14 DAY TRIAL // Android devices are being targeted by a new form of malware that is specifically aimed at stealing private conversations on IM applications like Facebook Messenger, Skype, Telegram, Twitter, Viber, and others.
The malware, which was detected by Trustlook (via FossBytes), has the capabilities to modify the “/system/etc/install-recovery.sh” file in order to start at every boot, thus making sure that it can extract instant messaging data even if the device is restarted.
The first infected application is called Cloud Module and is spreading in China as package name com.android.boxa. It hasn’t yet reached the Google Play Store, and most likely the malware is supposed to target devices using non-store distribution tactics, such as email and downloads from third-party hosting sites.
Chats uploaded to remote server
In other words, Android users who only install apps from the Google Play store should be safe. While Android security solutions could detect the Trojan, Trustlook warns that the malware was designed to avoid detection, including anti-emulator and debugger detection techniques that make it possible to bypass dynamic analysis.
“Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software,” Trustlook notes in its analysis.
Once the malware manages to compromise an Android device, it automatically looks for conversations in the said applications. The data is extracted and then sent to a remote server. The security vendor says the server’s IP address is mentioned in the malware configuration file, allowing the Trojan to operate without any further command send by the author.
The full list of instant messaging apps that are being targeted by the malware is available below, and keep in mind that as long as you stick with legitimate download sources for Android apps, this new form of malware is highly unlikely to compromise your device. Also, if you’re running third-party security software, updating it should help block any possible intrusion.