Android malware is no longer just about premium rate calls
Experts have been warning for some time about the increasing sophistication of mobile malware. Now FireEye has discovered a new variant of Android.MisoSMS — which was already an advanced information-stealing Android Trojan.
Like the original version of the malware, the new variant sends copies of users’ text messages to servers in China. But the newest rendition adds a few features that make it harder to detect, including a new disguise, encrypted transmissions, and command-and-control (CnC) communications that are handled natively rather than over email.
FireEye — Android.MisoSMS : Its back! Now with XTEA
The latest variant seeks to communicate with its C&C server — still located in China — via a selection of hardcoded public DNS servers. This helps defeat sandbox detection and analysis since sandboxes “typically use internal DNS servers and cut off access to outside networks,” explains FireEye. “If the malware cannot access the hard-coded DNS servers, it does nothing and is therefore not detected.”
A further new sophistication is the use of encryption — a variant of the XTEA encryption algorithm — in communication with the C&C server. It is clear that it is malware designed to infiltrate and persist.
It suggests, warns FireEye, “that cyber attackers are increasingly eyeing mobile devices — and the valuable information they store — as targets. It also serves as a vivid reminder of how crucial protecting this threat vector is in today’s mobile environment.”