Mobile spyware that steal Twitter credentials uses sandbox to Evade antivirus detections

[jpshare]Security Experts from Avast came through a Malware that uses a sandbox(DroidPlugin) to dynamically load and run an app, without actually installing the app, just like VirtualApp.

This makes it harder for antivirus solutions for recognizing the malware, as its malicious parts are not put away in the host application.

This malware is spread through Evergreen social Engineering tactics and they are to steal user’s Twitter credentials.

Avast said The malware masks itself as Wandoujia, a well known Android application store in China.

Interestingly, the malware developer presented an issue to DroidPlugin to report an out-of-memory issue around the time the new variation was discharged.

Malicious Action

It hides all of its files within the asset directory, for DroidPlugin to run.It consists of many plugins and they do their functions.

Once of the plugin communicates with the C&C server and from that instructions will accomplish to other APK files.

• android.adapi.task
• android.adapi.file
• android.adapi.radio
• android.adapi.location
• android.adapi.camera
• android.adapi.update
• android.adapi.online
• android.adapi.contact
• android.adapi.wifi

Why DroidPlugin plugin used?

The malware won’t really installed on the infected phone, rather it installs the modules by utilizing DroidPlugin.

Avast said “Based on our experience, we suspect this is done to bypass antivirus detections. If the host app doesn’t include malicious actions, and all the malicious actions are moved to plugins which are dynamically downloaded, it makes it difficult for antivirus solutions to detect the host app”.

While it can be easy to utilize a sandbox to run an application without installing it, sandboxes can likewise be utilized maliciously by malware developers.This malware has been recognized by Avast as Android:Agent-MOK

Sha-1 hash : e2b05c8fdf3b82660f7ab378e14b8feab81417f0

Also Read:

• Most important considerations with Malware Analysis Cheats And Tools list.
• A Fileless Malware Called “ATMitch” Attack The ATM machines Remotely and Delete The Attack Evidence.
• Mobile apps of seven larger banks in India affected with Malware – Still not yet fixed.