What is Torjan?(Android.Xiny)

Torjan a malicious program, often recognized as trusted application.Once activated they act as backdoor, stealing sensitive information’s and also as spyware.

Android.Xiny, Torjan for android device that embedded to games that were published in play store. One this torjan saved to smartphones or tablets it would acquire root privileges, so now it capable of download of enormous applications and showing annoying adds.

As Dr Web explains in a blog post:
"The trojan launches the igpi module (Android.Xiny.61) which uses the 
ptrace function to inject the igpld.so executable Linux library (Android.Xiny.62) 
into the system processes of Google Play (com.android.vending) and 
Google Play Services (com.google.android.gms, co.google.android.gms.persistent) 
applications."

 

torjan

 

How will it infect?

Once it launched it would launch enormous malicious applications and copy them to the system folder.

  • /system/xbin/igpi;
  • /system/lib/igpld.so;
  • /system/framework/igpi.jar.

Now the igpi  module(Android.Xiny) , torjan infects igpld.so library to the system application process of google playstore. In addition this also can inject in Zygote process(Android process Management).

Upon injecting Zygote process it can track launch of new applications and inject igpi.jar. The main function of   igpi.jar is download the attacker specified plugins and to disturb the environment.

Torjan also monitors mobile device’s status when specific system events occur (e.g. home screen in-activity, change in network , Connecting charger, etc.) it connect back to it’s control server and share the device information’s such as.

  • IMEI Number
  • MAC address
  • Operating System version
  • SmartMobile model
  • System language
  • Apk package name

 

tojan

 

Preventive Measure

Android users need to prevent themselves updating Antivirus database engine and by installing only trusted applications.

Dr.Web recommend using Dr.Web for Android which successfully detects all known modifications of these malicious programs.

 

 

Gurubaran is a PKI Security Engineer. Certified Ethical Hacker, Penetration Tester, Security blogger, Co-Founder & Author of GBHackers On Security.