Researchers at Symantec have discovered a new piece of Android malware that drops and runs a firewall binary called DroidWall on compromised devices to prevent security applications from connecting to their services.
Dubbed Android.Spywaller by Symantec, the malware initially behaves like other mobile threats by hiding its icon in an attempt to cover its track and by releasing an encrypted payload containing the malware service logic and loading it into memory. As soon as the threat has been installed on a compromised device, it displays a “Google Service” icon on the device, although the Internet giant doesn’t offer such a product.
The malware then attempts to root the device and start collecting sensitive information while running in the background. All of the information the malware collects from the device is then sent to a backend server, Symantec explained in a recent blog post.
While this behavior has been seen before in mobile threats, Symantec’s researchers note that the new malware stands out because of another method discovered in its reverse payload which checks to see if the Qihoo 360 mobile security app is installed on the device and then block it.
The Qihoo 360 application is popular in China and has a unique identifier (UID) on each device, and the malware collects the identifier if the program is installed. Next, Android.Spywaller drops and runs the DroidWall firewall binary, which is a customized version of iptables for Android. This allows it to create firewall rules that will block the targeted security application by referencing its UID.
Developed by Rodrigo Rosauro as an open source app to help users protect their devices, DroidWall was sold to AVAST in 2011, but its source code is still available from Google Code and Github. Although it was initially designed in the form of a security tool, DroidWall can be used by cybercriminals to compromise user security.
For the time being, the malware is targeted at users in China, where a higher proportion of devices are rooted and more exposed to malware since official Google services are not available in the country.
In addition to blocking Qihoo 360, the malware also attempts to exfiltrate sensitive data from compromised devices, including system-based personally identifying information (PII) such as call logs, SMS, GPS readings, system browser data, emails, radio, images, and contacts.
At the same time, the spyware is collecting data belonging to specific third-party communication applications, including BlackBerry Messenger, Oovoo, Coco, QQ, SinaWeibo, Skype, Talkbox, TencentWeibo, Voxer, Wechat, WhatsApp, and Zello. According to Symantec, the list of data gathered by this malware ranks it among the most comprehensive spyware to date.
The infection numbers are currentyl relatively low, but the threat is worth noting because its authors are using legitimate tools for malicious purposes. To stay protected, users should install a security solution that can block mobile threats, should keep their software updated at all times, and should make sure they install apps only from trusted sources.