Trustlook Labs found a trojan that target messenger app information

The security researcher at Trustlook Labs recently discovered a new type of Trojan horse from a Chinese Android application designed to steal data from mobile instant messaging (IM) software.

According to the Trustlook laboratory, the Trojan has only a few features. The first is to extract the code from the resources of the infected application to gain boot persistence. The code will attempt to modify the “/system/etc/install-recovery.sh” file and, if successful, it will allow execution of the Trojan horse each time the infected device boots.

Second, Trojan horses can extract data from multiple Android instant messaging applications that will later be uploaded to command and control (C&C) servers. The IP address of the C&C server is contained in the configuration file of the Trojan horse. The Trojan virus will also obtain commands from this server. The Trojan-targeted Android instant messaging software target list is as follows:

• Tencent WeChat
• Weibo
• Voxer Walkie-Talkie Messenger
• Telegram Messenger
• Gruveo Magic Call
• Twitter
• Line
• Coco
• BeeTalk
• TalkBox Voice Messenger
• Viber
• Momo
• Facebook Messenger
• Skype

Trustlook researchers said that although the Trojan virus only focuses on stealing Android instant messaging software data, it still uses some advanced evasion techniques. For example, it uses anti-emulator and debugger detection techniques to evade dynamic analysis and also hides strings in its source code to prevent reverse engineering attempts.

What’s surprising here is that there is very little malware that is designed to implement a single malicious function while using so many advanced evasion techniques. The Trojan virus found by Trustlook Labs seems to be an exception. It does only perform one single malicious operation, stealing and uploading Android instant messaging data.

Security experts believe that this design choice is most likely due to the fact that the Trojan horse developer is preparing to intimidate extortion. In previous cases, the purpose of attackers collecting private conversations, pictures, and videos is to try to find out some sensitive information from them. This information will play a key role in the subsequent extortion activities, especially for some public figures. Say.

Unfortunately, Trustlook Labs has not yet shared relevant information on the transmission of the Trojan virus. However, considering that the virus was discovered from a Chinese application, there is no official Google Play store in our country. Therefore, the Trojan virus is likely to be spread through certain third-party application stores, software-sharing websites, or forums.