Ever-Evolving Trojan Devices Infects Android Systems


The Trojan known as Android.Xiny continues to evolve, and in its most recent iteration, Xiny has gained the ability to infect a core Android system process that facilitates and hides its malicious behavior, making the uninstallation process many times more difficult.

The first versions of Android.Xiny appeared in March 2015, and just like all malware in its beginnings, these versions were trivial to detect and with minimal features.

But Xiny evolved, and in January 2016, security researchers were reporting about new stealth features that allowed the Trojan to pass through Google’s security scans and make its way inside the Play Store, disguised inside 60 apps.

At that particular point in time, the Trojan relied on tricking users into giving those apps root privileges in order to function. Once users granted Xiny admin rights, the Trojan would show ads, install other apps, or steal data from the device and hide it inside PNG images via a technique called steganography. 

Xiny doesn’t ask users for admin rights anymore. It takes them by force Dr. Web, a Russian security firm, says recent versions of this Trojan don’t bother asking users for admin privileges but come with an exploit package that gets these rights by rooting the device.

The security vendor says these versions haven’t been spotted in live & distributed apps, but appear to be a test version on which the crooks are still working.

But rooting the device is not the most dangerous function. Researchers also say Android.Xiny will install rogue modules inside Android system directories, which it will use to infect Zygote, one of Android’s core processes.

Android.Xiny hijacks Android’s Zygote process

With control over Zygote, Xiny then injects other packages in other applications. For example, researchers say they’ve found functionality in Xiny’s code to infect the Google Play app, which it uses to install other apps on the system, without the user’s consent.

Further, Xiny can also inject the processes of IM chat application, and intercept or send messages. The Trojan also targets banking or other financial apps and uses its root privileges to show a fake login page and collect user credentials.
Android.Xiny is not the first Android Trojan that infected Android’s Zygote process. In February, ant-virus experts at Dr. Web also discovered Android.Loki, which behaves in a similar way, by rooting the device and infecting Zygote to install unwanted apps on the user’s device, for the crook’s monetary gain.

LetsTalkNow
 

 

« Cybersecurity Start-Ups Working With GCHQ
Five Technologies Changing Our lives In Five Years »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Bastille

Bastille

Bastille’s patented software and security sensors bring visibility to devices emitting radio signals (Wi-Fi, cellular, IoT) in your organization.

Karamba Security

Karamba Security

Karamba provide an IoT Security solution for ECUs in automobiles which ensures that all cars are protected (not just autonomous cars).

Venable

Venable

Venable is an American Lawyer 100 law firm with nine offices across the USA, Practice areas include Cybersecurity.

OpenText

OpenText

OpenText is a leader in Enterprise Information Management software and a portfolio of related solutions for Information Governance, Compliance, Information Security and Privacy.

Puleng Technologies

Puleng Technologies

Puleng provides customers with a client-centric strategy to manage and secure the two most valuable assets an organisation has - its Data and Users.

Ziroh Labs

Ziroh Labs

Ziroh Labs leverages advanced cryptography to keep your highly sensitive, private data safe throughout the lifecycle of data.

Netsecurity AS

Netsecurity AS

Netsecurity is a Norwegian owned company focused and specialised within IT security and cybersecurity-as-a service.

Mphasis

Mphasis

Mphasis is a leading applied technology services company applying next-generation technology to help enterprises transform businesses globally.

UK Cyber Security Association (UKCSA)

UK Cyber Security Association (UKCSA)

The UK Cyber Security Association (UKCSA) is a membership organisation for individuals and organisations who actively work in the cyber security industry.

DeepFactor

DeepFactor

DeepFactor is the industry’s first Continuous Observability platform enabling Engineering and AppSec teams to find and triage RUNTIME security, privacy, and compliance risks in your applications.

Probity

Probity

Probity Inc. is a certified software development and systems engineering company, providing support to federal government and national defense related clients.

Cylab - Carnegie Mellon University

Cylab - Carnegie Mellon University

Carnegie Mellon University CyLab is the University's security and privacy research institute.

Proximus Ada

Proximus Ada

Proximus Ada is the first Belgian center of excellence combining artificial intelligence and cybersecurity.

Mogwai Labs

Mogwai Labs

Mogwai Labs deliver cutting-edge penetration tests, security assessments and trainings, to safeguard your applications, networks and cloud environments from cyber threats.

KTrust

KTrust

KTrust provides Continuous Threat Exposure Management for Kubernetes environments.

Jersey Cyber Security Centre (JCSC)

Jersey Cyber Security Centre (JCSC)

Jersey Cyber Security Centre is the jurisdiction's Cyber Emergency Response Team (CERT) and national technical authority for cyber security.