Saturday, May 18, 2024

Mobile spyware that steal Twitter credentials uses sandbox to Evade antivirus detections

[jpshare]Security Experts from Avast came through a Malware that uses a sandbox(DroidPlugin) to dynamically load and run an app, without actually installing the app, just like VirtualApp.

This makes it harder for antivirus solutions for recognizing the malware, as its malicious parts are not put away in the host application.

This malware is spread through Evergreen social Engineering tactics and they are to steal user’s Twitter credentials.

Avast said The malware masks itself as Wandoujia, a well known Android application store in China.

Interestingly, the malware developer presented an issue to DroidPlugin to report an out-of-memory issue around the time the new variation was discharged.

Malicious Action

It hides all of its files within the asset directory, for DroidPlugin to run.It consists of many plugins and they do their functions.

Mobile spyware that steal Twitter credentials uses sandbox to Evade antivirus detections
      DDroid Plugin Integration Source: Avast

Once of the plugin communicates with the C&C server and from that instructions will accomplish to other APK files.

  • android.adapi.task
  • android.adapi.file
  • android.adapi.location
  • android.adapi.update
  • android.adapi.wifi

Why DroidPlugin plugin used?

The malware won’t really installed on the infected phone, rather it installs the modules by utilizing DroidPlugin.

Avast said “Based on our experience, we suspect this is done to bypass antivirus detections. If the host app doesn’t include malicious actions, and all the malicious actions are moved to plugins which are dynamically downloaded, it makes it difficult for antivirus solutions to detect the host app”.

While it can be easy to utilize a sandbox to run an application without installing it, sandboxes can likewise be utilized maliciously by malware developers.This malware has been recognized by Avast as Android:Agent-MOK

Sha-1 hash : e2b05c8fdf3b82660f7ab378e14b8feab81417f0

Also Read:


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles