Android Trojan Discovered Stealing Data from Popular Messengers
Security analysts at Trustlook Labs have discovered a new Android trojan that steals data from popular mobile messengers, including Facebook Messenger, Skype, Telegram, Twitter, and others.
How the Trojan Spreads
The researchers did not specify exactly how this new malware is distributed. However, since the malicious app is named “Cloud Module” in Chinese and Google Play Store is not available in China, it is likely that the trojan spreads through third-party app stores, websites, and forums.
How the Trojan Works
Despite its simplicity, the malware is highly effective. After installation, the trojan first attempts to modify the /system/etc/install-recovery.sh file. If successful, this ensures the malware remains persistent on the device and launches after every reboot.
Once it has established itself in the system, the “Cloud Module” begins extracting data from a range of popular messengers, including:
- Tencent WeChat
- Voxer Walkie Talkie Messenger
- Telegram Messenger
- Gruveo Magic Call
- Line
- Coco
- BeeTalk
- TalkBox Voice Messenger
- Viber
- Momo
- Facebook Messenger
Advanced Evasion Techniques
Although stealing information from instant messengers is the trojan’s only function—which is unusual for such a simple piece of malware—experts note that Cloud Module uses advanced obfuscation techniques to hinder cybersecurity specialists. For example, the trojan evades dynamic code analysis by using anti-emulator methods and detecting debuggers. Additionally, the malware’s developers have attempted to protect their code through encryption and the use of XOR.