Andriod Malware is kept increasing and targeting victims around the world using many advanced functionalities.
This Trojan distributing as com.android.boxa and the method of distribution via a malicious app called Cloud Module in China.
This Malware is designed to steal the information from following Android Messenger.
- Tencent WeChat
- Voxer Walkie Talkie Messenger
- Telegram Messenger
- Gruveo Magic Call
- TalkBox Voice Messenger
- Facebook Messenger
Advanced Functionalities of This Android Trojan
This Malware using A lot of advanced functionalities such as anti-emulator and debugger detection techniques to evade dynamic analysis.
This Malicious app contains a lot of obfuscation function with the configured file and The purpose of the content/file obfuscation is to avoid detection.
According to trustlook research, The malware attempts to hide the strings to avoid being detected. For example, the following strings are stored in arrays and are XOR encrypted with 24 to get the real strings.
Also under the folder name called Assets contains an encrypted module and the all the module are completely encrypted and this module including “coso”, “dmnso”, “sx”, “sy”, the malware uses the first byte in the module to XOR decrypt the data.
After the complete infection, Malware will establish the connection with its command and control server which is operated by the attacker.
Later it shares the collected information once the malware gets the specific command from the attacker.
If the Android SDK version is less than 16, the malware loads “sy” module from Assets, otherwise it loads “sx” module. These modules attempt to modify the “/system/etc/install-recovery.sh” file to maintain persistence on the device.
Since the Attacker using Code obfuscation/hiding increases the malware author’s ability to avoid detection and becomes a sophisticated challenge to anti-virus software.
- MD5: ade12f79935edead1cab00b45f9ca996
- SHA256: 1413330f18c4237bfdc523734fe5bf681698d839327044d5864c9395f2be7fbe