Analysts of the company “Doctor Web” warned of the emergence of new Trojans of the family Android.Xiny. Now malware can be introduced into the process of system application and load the program to exploit various malicious plug-ins.
the Researchers write that the observation of Trojans of the family Android.Xiny is in March 2015. All this time malware actively spreading via various sites – collections of software for mobile devices and even through the official application catalogs.
Getting on the Android device, the Trojan Android.Xiny trying to get root access to silently download and install various software, as well as to show advertisements. One of the features of this family malware from the very beginning was a unique mechanism to protect from deletion. It is based on the fact that the Trojan apk-files are assigned the attribute “read-only” (immutable).
Now the attackers are still improved Trojans Xiny and added the ability to infiltrate (inject) in the processes of system programs to run on their behalf various malicious plug-ins.
One of these updated Trojans, examined by the specialists of “Doctor Web” has been Android ID.Xiny.60. It is installed in the system directory mobile devices of other members of the family Android.Xiny. After the launch of Android.Xiny.60 extracts from their file resources several auxiliary Trojans and copies them to system directories:
Next, using the module igpi (Android.Xiny.61) Trojan performs the injection of the library igpld.so based Android.Xiny.62) in the processes of system Google Play app com.android.vending) and Google Play Services (com.google.android.gms co.google.android.gms.persistent). In addition, the introduction of this malicious module can run in the system process zygote, but in the current version of the Trojan, this function is not used.
At the infection of the zygote process on Android.Xiny.62 starts monitoring the start of new applications. As a result, if the Trojan detects the newly launched process, it injects a malicious module igpi.jar Android.Xiny.60). The same module is applied after contamination of process system applications Google Play and Google Play Services.
the Main task of the module igpi.jar – download preset attackers malicious plugins and run them in the context of infected programs. The module monitors the status of the mobile device and upon the occurrence of certain system events (for example, turn on or off the screen, change the connection status to the network, connection or disconnection of the charger and several others) is connected to the command and control server where it sends the following information about the infected smartphone or tablet
- MAC address of the network adapter;
- OS version;
- the model name of the mobile device;
- language system;
- the name of the software package, inside of which operates malware.
In turn, Android.Xiny.60 may download and run malicious plugins, which after downloading will work as part of a of the attacked application. Researchers have not yet documented the spread of such malicious modules, however, if malefactors will, Android.Xiny.60 will be able to attack users in many programs. For example, if the Trojan to penetrate into the process Google Play, it will be able to load the module for installation. If your process of any messenger, Android.Xiny.60 can intercept and send messages. But if the Trojan to penetrate into the process of Bank program, after running the necessary plugin he will be able to steal confidential information (usernames, passwords, credit card numbers, and so on) and even discreetly transfer money to the accounts of the intruders.