A malware intelligence analyst has uncovered a sophisticated Android Trojan dropper that can install malware onto devices, bypassing any traditional defences.
Malwarebytes senior malware intelligence analyst Nathan Collier said the dropper can install malicious files into either the raw or the assets folder in the Android Application Package (APK) of a device.
"Trojan.Dropper.RealShell uses several files stored in the Assets folder to build another APK. It accomplishes this by reading from the files found in the Assets folder and then writing them into a single file with the extension .lock," Collier wrote on his blog.
"The .lock file is an Android RandomAccessFile which means it has the ability to read lines from one file, and then write them in a random or manually assigned sequence to another file."
When the process is complete, a new APK file is produced. But this new file is different to a normal APK file because it doesn't have a manifest file or anything else that helps it run. It uses the manifest file and resources from the parent APK that built it to run, with the help of DexClassLoader so it can work without using code installed on the device.
This newly built app then creates another APK containing PUP.RiskPay.Skymobi, an untrustworthy SMS payment SDK which is dropped into libraries stored in the parent API so it can build a new PUP.RiskPay.Skymobi app, complete with its own manifest files and resources to make it run.
Collier said: "Obfuscation in mobile malware is nothing new, but the tactics are becoming more complex. This just shows that there is becoming more of a focus on mobile in the malware industry.
"As more people replace PCs with tablets, smartphones, and other Android devices we fully expect this trend of more complex obfuscation on mobile malware to continue."
