Android infostealer masquerading as MS Word document

A clever Android information-stealing piece of malware is lurking on third-party app markets popular with Chinese users.

“The malware portrays itself as a data file with an icon similar to that used by Microsoft Word documents,” Zscaler researchers noted. “Once installed, the malware scans the device for SMS messages and other personally identifiable information such as the IMEI number, SIM card number, Device ID, victim’s contact information, etc. and sends this to the attacker via email.”

When the victim tries to start the app, he or she gets an error message saying that the software is not compatible with the phone, and the icon disappears from the device screen.

Simultaneously, the app starts its real work in the background, searching for information and starting Android services and task threads that will help it extract the targeted data.

Both the phone number that the Trojan sends SMS messages to and the email to which it sends the exfiltrated information are hard-coded in the malware. Interestingly enough, the password for the email account is also included.

This allowed the researchers to access the account and discover that over 300 users have fallen victims to the malware since October 10, 2015.

The malware can also be instructed via SMS to start a silent call to numbers provided by they attacker. This capability can be used by attackers to listen in on what’s happening in the device’s vicinity (among other things).

“In early Windows malware attacks, attackers would often name the malicious files with eye-catching titles and use common icons to entice victims to open the file,” the researchers pointed out. “Due to the ubiquitous nature of mobile devices, its no wonder that PC based malware techniques are appearing in mobile domains.”

The malware runs with Administrative Access and it’s difficult to remove. Users who discover it on their phones and want to get rid of it must boot their device in safe mode, go to Settings > Security > Device Administrator to deactivate it, and then uninstall it by going to Settings > Apps.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss