Alternative mobile app markets have become a great place to find new
games, utilities and other apps. But mostly they're great if you're
looking for the latest stealthy Android malware. The newest example is a
piece of malware called TGLoader that is showing up in repackaged
legitimate apps and has the ability to get root privileges on victims'
phones and also cost them quite a bit of money by sending SMS messages
to premium-rate numbers.
The TGLoader malware has appeared in some
alternative Android app markets recently, and researchers at North
Carolina State University discovered and analyzed it, finding it has a
wide range of capabilities. The malware uses the "exploid" root exploit
to get root privileges on compromised phones, and from there it starts
installing a variety of apps and Android code that are designed to
perform a long list of malicious actions.
"After that, it
further installed several payloads (including both native binary
programs and Android apps) unbeknownst to users. The malware also
listens to remote C&C servers for further instructions.
Specifically, one particular 'phone-home' function supported in TGLoader is
to retrieve a destination number and related message body from the
C&C servers. Once received, it composes the message and sends it out
in the background. This is a typical strategy that has been widely used
in recent Android malware to send out SMS messages to premium-rate
numbers," Xuxian Jiang, an assistant professor at NC State, wrote in an
analysis of the new malware.
The TGLoader malware typically is found in
otherwise legitimate apps that have been repackaged to include the
malicious code. Once it's on the device, the malware will start a new
service inside the compromised app, which will then be started every
time the app is executed.
"Upon the execution,
it will copy all of its payloads, including native binaries and
embedded apks into the current directory. In the meantime, it will also
launch the exploid root exploit to elevate its
privilege. After getting the root privilege, it will copy enclosed
native binary programs into the system partition. One particular native
program will connect to the remote C&C servers with information
collected in the infected phones and wait for instructions," Jiang
wrote.
The researchers have not found the
TGLoader malware in the official Android Market at this point. There
have been a number of incidents in the last year or so with malware being found in apps in the Android Market
and Google has shown a willingness to pull those apps from the market,
as well as from users' phones, when they're identified. But this
incident has been confined to the alternative markets so far.
Courtesy Dennis Fisher
No comments:
Post a Comment