Alternative mobile app markets have become a great place to find new games, utilities and other apps. But mostly they’re great if you’re looking for the latest stealthy Android malware. The newest example is a piece of malware called TGLoader that is showing up in repackaged legitimate apps and has the ability to get root privileges on victims’ phones and also cost them quite a bit of money by sending SMS messages to premium-rate numbers.
The TGLoader malware has appeared in some alternative Android app markets recently, and researchers at North Carolina State University discovered and analyzed it, finding it has a wide range of capabilities. The malware uses the “exploid” root exploit to get root privileges on compromised phones, and from there it starts installing a variety of apps and Android code that are designed to perform a long list of malicious actions.
“After that, it further installed several payloads (including both native binary programs and Android apps) unbeknownst to users. The malware also listens to remote C&C servers for further instructions. Specifically, one particular ‘phone-home’ function supported in TGLoader is to retrieve a destination number and related message body from the C&C servers. Once received, it composes the message and sends it out in the background. This is a typical strategy that has been widely used in recent Android malware to send out SMS messages to premium-rate numbers,” Xuxian Jiang, an assistant professor at NC State, wrote in an analysis of the new malware.
The TGLoader malware typically is found in otherwise legitimate apps that have been repackaged to include the malicious code. Once it’s on the device, the malware will start a new service inside the compromised app, which will then be started every time the app is executed.
“Upon the execution, it will copy all of its payloads, including native binaries and embedded apks into the current directory. In the meantime, it will also launch the exploid root exploit to elevate its privilege. After getting the root privilege, it will copy enclosed native binary programs into the system partition. One particular native program will connect to the remote C&C servers with information collected in the infected phones and wait for instructions,” Jiang wrote.
The researchers have not found the TGLoader malware in the official Android Market at this point. There have been a number of incidents in the last year or so with malware being found in apps in the Android Market and Google has shown a willingness to pull those apps from the market, as well as from users’ phones, when they’re identified. But this incident has been confined to the alternative markets so far.