Dropper RealShell shows malware devs are getting smarter

The Android Trojan dropper can avoid existing defences to install malicious files on Android devices

A malware intelligence analyst has uncovered a sophisticated Android Trojan dropper that can install malware onto devices, bypassing any traditional defences.

Malwarebytes senior malware intelligence analyst Nathan Collier said the dropper can install malicious files into either the raw or the assets folder in the Android Application Package (APK) of a device.

Advertisement - Article continues below

"Trojan.Dropper.RealShell uses several files stored in the Assets folder to build another APK. It accomplishes this by reading from the files found in the Assets folder and then writing them into a single file with the extension .lock," Collier wrote on his blog.

"The .lock file is an Android RandomAccessFile which means it has the ability to read lines from one file, and then write them in a random or manually assigned sequence to another file."

When the process is complete, a new APK file is produced. But this new file is different to a normal APK file because it doesn't have a manifest file or anything else that helps it run. It uses the manifest file and resources from the parent APK that built it to run, with the help of DexClassLoader so it can work without using code installed on the device.

This newly built app then creates another APK containing PUP.RiskPay.Skymobi, an untrustworthy SMS payment SDK which is dropped into libraries stored in the parent API so it can build a new PUP.RiskPay.Skymobi app, complete with its own manifest files and resources to make it run.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Collier said: "Obfuscation in mobile malware is nothing new, but the tactics are becoming more complex.  This just shows that there is becoming more of a focus on mobile in the malware industry.

"As more people replace PCs with tablets, smartphones, and other Android devices we fully expect this trend of more complex obfuscation on mobile malware to continue."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/30081/what-is-a-trojan-virus
Security

What is a Trojan?

24 Apr 2020
Visit/android/28295/how-to-unroot-android
Google Android

How to unroot Android

22 Apr 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/mobile/23617/the-best-smartphones-to-buy
Mobile

Best smartphone 2019: Apple, Samsung and OnePlus duke it out

27 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020