Cyber Security researchers have discovered a new strain of Chinese Android Malware that is customised to steal chats, shared videos, pictures and audio files. One of the Chinese apps, Cloud Module (in Chinese) was found to be infected with this malware with the package name com.android.boxa. It was observed that instead of a full-blown remote administration Trojan like others, this one is rather simple and only aims at stealing data from Instant Messaging (IM) Apps alongside with making sure that it is persistent and well protected from malware detection and prevention systems.
What is Chinese Android Malware?
Once installed, It infects internal Android configuration files to make itself launch every time the mobile device starts. This is to make sure that the attacker is always listening to all your private communication. Moreover, this malware was found with advance anti malware evasion techniques that included abilities to detect if it was being run on an emulated/virtual environment which is generally used by malware analysts to monitor the working of a malware in an isolated environment.
It was also observed that the source code of the malware was completely obfuscated to make it extremely difficult for analysts and Anti malware to understand the working of the Chat stealing trojan.
Which messaging Apps are targeted by the boxa trojan?
It targets a total of 14 IMs as of now. They are as follows:
- Facebook Messenger
- Voxer Walkie Talkie Messenger
- Gruveo Magic Call
- TalkBox Voice Messenger
How does this malware spread?
As this is a Chinese malware and China doesn’t have any Google Play Store, this malware is speculated to spreading through 3rd party Android app stores and phishing campaigns. What this means is Google’s internal antimalware measures will not detect this malware and nor can Google remotely uninstall the infected apps even if it finds out about them.
How to stay safe?
Users need to be extremely cautious while installing applications on their devices. One must never download apps from 3rd party app stores especially the ones that offer extra functionalities like cracked versions of paid apps and apps with unlocked paid features such as Games and other In-App purchases.
Moreover, as this malware is quite possibly being spread via Phishing Campaigns just like most other malware, users should keep an eye out for fake emails, messages, pop-ups etc that ask them to click links/download 3rd party apps. Never click on untrusted links and never download from untrusted sources.
Always check what all permission the app requires the users to allow before installation. Stay cautious with permissions that don’t seem legitimate, for instance, if a calculator app wants to access your call logs or messages it is clear that the app wants unnecessary permission and can be malicious.
Don’t download apps from unknown sources, they can be infected with data-stealing malware hidden behind a genuine looking app. Stay away from pirated apps. Do not enter your confidential details like your bank account details etc on any application other than the one that the data belongs to. Ie. your bank app.
For added security, set your app store settings to “Do not allow third-party app downloads from untrusted sites.” Google recently launched “Google play protect”. Make sure that the application is verified by “Google Play Protect” else avoid downloading the app.
Check reviews and ratings given by others users who have installed the application.If the ratings are unsatisfactory it is not preferable to download the app. Check the number of downloads, if the number of downloads is less than 50k, it may be risky to download the app.
Check the app for spelling errors, grammatical errors or logos that appear to be poorly designed. These may point to malicious or simply ill-managed apps. If there is an invalid email address and no official website then it is likely that it is a fake app. If the application contains lots of advertising or pop-ups then it’s better to uninstall the app as it may be designed for phishing purposes.
It’s always good to have a reputed antivirus/antimalware app in your smart-device as it will keep protected from most attacks. Ankush Johar, Director & Partner at Infosec Ventures said, this is an infection based malware. What that means is, it won’t be spreading as a standalone application, instead, it can inject itself into any common Android app that a user might use and spread as duplicates/cracks online.
Malicious hackers often inject such malware into pirated apps, cracks and other 3rd party enhancement apps that are generally banned on the Play Store, hence a user that has no other option, is forced to download the app online which is infected with malware and that is the sole reason why malicious hackers give away paid apps for free. Piracy has a big cost, don’t indulge in it.
What makes this malware even more dangerous is it’s targeted goal to snoop on your private messaging and it is not a long shot to assume that data extorted from these private chats of users can be infected later used against them in targeted Phishing campaigns or even straightforward blackmailing.