A malware intelligence analyst has uncovered a sophisticated Android Trojan dropper that can install malware onto devices, bypassing any traditional defences.
Malwarebytes senior malware intelligence analyst Nathan Collier said the dropper can install malicious files into either the raw or the assets folder in the Android Application Package (APK) of a device.
"Trojan.Dropper.RealShell uses several files stored in the Assets folder to build another APK. It accomplishes this by reading from the files found in the Assets folder and then writing them into a single file with the extension .lock," Collier wrote on his blog.
"The .lock file is an Android RandomAccessFile which means it has the ability to read lines from one file, and then write them in a random or manually assigned sequence to another file."
When the process is complete, a new APK file is produced. But this new file is different to a normal APK file because it doesn't have a manifest file or anything else that helps it run. It uses the manifest file and resources from the parent APK that built it to run, with the help of DexClassLoader so it can work without using code installed on the device.
This newly built app then creates another APK containing PUP.RiskPay.Skymobi, an untrustworthy SMS payment SDK which is dropped into libraries stored in the parent API so it can build a new PUP.RiskPay.Skymobi app, complete with its own manifest files and resources to make it run.
Collier said: "Obfuscation in mobile malware is nothing new, but the tactics are becoming more complex. This just shows that there is becoming more of a focus on mobile in the malware industry.
"As more people replace PCs with tablets, smartphones, and other Android devices we fully expect this trend of more complex obfuscation on mobile malware to continue."
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
Anthropic CEO Dario Amodei thinks we're burying our heads in the sand on AI job lossesNews With AI set to hit entry-level jobs especially, some industry execs say clear warning signs are being ignored
-
Android Trojan charges millions of victims €36 per monthNews Up to 10 million users across 70 countries are thought to have been affected
-
Android app strips personal dataNews Trojan wallpaper app signals a rising mobile data threat
-
New Mac trojan disguises itself like Space InvadersNews Video games, malware and Macs clash head on with a new trojan that runs a game which deletes files by killing aliens.
-
Could Hotmail password theft be due to a trojan?News A researcher says there is evidence that not all of the Gmail and Hotmail account passwords were taken as a result of phishing.
-
Could AVG start working on the Apple Mac platform?News Does AVG, well known for its free security software product, look to provide Apple anti-virus?
-
Warning to watch out for infected Windows 7News Tried to download Microsoft Windows 7 off a torrent site? You may have downloaded malware to go with it.
-
Second trojan found in pirated Mac softwareNews Another trojan is planted in a program to take advantage of computer users downloading pirated copies of Adobe Photoshop CS4.
-
Pirated copies of Apple iWork 09 infected by TrojanNews More than 20,000 Mac users have already downloaded a version of iWork containing a Trojan which can give control to cybercriminals.
