Dropper RealShell shows malware devs are getting smarter
The Android Trojan dropper can avoid existing defences to install malicious files on Android devices
A malware intelligence analyst has uncovered a sophisticated Android Trojan dropper that can install malware onto devices, bypassing any traditional defences.
Malwarebytes senior malware intelligence analyst Nathan Collier said the dropper can install malicious files into either the raw or the assets folder in the Android Application Package (APK) of a device.
"Trojan.Dropper.RealShell uses several files stored in the Assets folder to build another APK. It accomplishes this by reading from the files found in the Assets folder and then writing them into a single file with the extension .lock," Collier wrote on his blog.
"The .lock file is an Android RandomAccessFile which means it has the ability to read lines from one file, and then write them in a random or manually assigned sequence to another file."
When the process is complete, a new APK file is produced. But this new file is different to a normal APK file because it doesn't have a manifest file or anything else that helps it run. It uses the manifest file and resources from the parent APK that built it to run, with the help of DexClassLoader so it can work without using code installed on the device.
This newly built app then creates another APK containing PUP.RiskPay.Skymobi, an untrustworthy SMS payment SDK which is dropped into libraries stored in the parent API so it can build a new PUP.RiskPay.Skymobi app, complete with its own manifest files and resources to make it run.
Collier said: "Obfuscation in mobile malware is nothing new, but the tactics are becoming more complex. This just shows that there is becoming more of a focus on mobile in the malware industry.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"As more people replace PCs with tablets, smartphones, and other Android devices we fully expect this trend of more complex obfuscation on mobile malware to continue."
Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.
Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.
As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.