voyager624 - Fotolia
New Android Trojan horse malware discovered by Trustlook Labs uses code obfuscation to steal data from Facebook Messenger, Skype and other instant messaging apps. How does this Trojan obfuscate its code to evade detection? What should antimalware or mobile security pros be looking for to detect this malware?
One of the key aspects of most modern malware is the use of some sort of obfuscation technique to evade detection by antimalware or endpoint security tools. When antivirus tools relied on static blacklists, it was easier to just change something in the source code, recompile the malware and start using it, as it would probably bypass the blacklist.
Modern malware uses many different obfuscation techniques, like encryption of the binaries, using legitimate software already installed on the endpoint and downloading functionality from supporting binaries as needed to evade detection. Malware may only decrypt or download the part of the code that is needed for the specific stage of the attack to increase the difficulty of analyzing each stage. This goes along with the anti-debugging functionality where malware will abort or function differently if it detects it's in a sandbox, virtual machine or being debugged to make it more difficult to identify changes it has made on an endpoint or how it establishes persistence.
Command-and-control (C&C) servers use their own evasion techniques, such as using custom protocols, using nonstandard ports and putting the C&C payload in unexpected places, like in a domain name system packet, to minimize the chance of being detected. All of these steps increase the difficulty and amount of resources needed to identify malware and determine how to effectively block it.
Trustlook Labs recently blogged about a new piece of Android Trojan horse mobile malware that was discovered using hidden, malicious code to copy and steal user information from messaging apps. Researchers didn't mention how the Android Trojan was initially identified, making it difficult to know how the malware was targeted.
However, this Android Trojan horse malware is known to target several messaging apps, such as Twitter, Viber, Skype and Facebook Messenger, to send the contents of messages to its C&C server. The Android malware then obfuscates its code to evade detection by encrypting the configuration file, modules used and even individual functions. It then checks to see if it's on an emulator or debugger and, if it determines that it is being analyzed, it will exit to prevent analysis.
Trustlook Labs mentions several indicators of compromise, such as the hash of the malware or the IP used by the C&C, which can be used to detect this specific version of the malware.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Network security
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading