Photo Courtesy: Dr. Web |
Security researchers from Doctor Web, Russian anti-virus software developer, have detected another new Android Trojan, which is said to be distributed among users from china to spy on their victims.
Previously, the researchers had found an Android Trojan, which spreads as a security certificate that tricks users into thinking it must be installed onto users device. That Trojan had made two-Step authentication feature insecure when it got infected users' device with a new malware which was capable of intercepting their messages and forwarding them to cybercriminals.
The Trojan dubbed Android.Backdoor.260.origin can intercept SMS messages, record phone calls, track GPS coordinates of the infected device, take screenshots, and even collect data entered by the user.
“Due to the fact that Android.Backdoor.260.origin is distributed as “AndroidUpdate”, potential victims are very likely to install it on their mobile devices,” the researchers posted in a blog.
According to the researchers, the Trojan has main malicious features that are implemented in special modules incorporated into the malware's software package. Once it gets activated, the Trojan extracts the following additional components: super, detect, liblocSDK4b.so, libnativeLoad.so, libPowerDetect.cy.so, 1.dat, libstay2.so, libsleep4.so, substrate_signed.apk and cInstall.
“Next, it tries to run the binary cInstall file (detected by Dr.Web as Android.BackDoor.41) with root privileges. If the attempt is successful, this malicious module plants a number of files extracted earlier into system folders and tries to stealthily install a utility called “Substrate”. This tool expands functionality of applications and is used by Android.Backdoor.260.origin to intercept entered data. If the Trojan does not succeed in acquiring root privileges, then, most likely, it will fail to install necessary components. As a result, the malware will not be able to perform the majority of its functions properly,” the researchers added.
Once all the modules get installed, the Trojan removes its entire shortcut created earlier and launches the malicious service called PowerDetectService which runs the malicious module with the name libnativeLoad.so. It also has been added to Dr.Web virus database under the name of Android.BackDoor.42, and Substrate.
“In fact, this tool is not actually malicious and can be easily downloaded from Google Play. However, cybercriminals have modified the original application and incorporated the new version into Android.Backdoor.260.origin. As a result, the tool became potentially dangerous for mobile devices' users,” the researchers explained.
The researchers have now warned the users not to install applications from unreliable sources. And it is important to protect their mobile device with reliable anti-virus software.