Alternative mobile app markets have become a great place to find new games, utilities and other apps.
In addition, they are great if you’re looking for the latest stealthy Android malware. The newest example is a piece of malware called TGLoader showing up in repackaged legitimate apps and has the ability to get root privileges on victims’ phones and also cost them quite a bit of money by sending SMS messages to premium-rate numbers.
The TGLoader malware has appeared in some alternative Android app markets recently, and researchers at North Carolina State University discovered and analyzed it, finding it has a wide range of capabilities.
The malware uses the “exploid” root exploit to get root privileges on compromised phones, and from there it starts installing a variety of apps and Android code designed to perform a long list of malicious actions.
“After that, it further installed several payloads (including both native binary programs and Android apps) unbeknownst to users,” said Xuxian Jiang, an assistant professor at NC State. “The malware also listens to remote C&C servers for further instructions. Specifically, one particular ‘phone-home’ function supported in TGLoader is to retrieve a destination number and related message body from the C&C servers. Once received, it composes the message and sends it out in the background. This is a typical strategy that has been widely used in recent Android malware to send out SMS messages to premium-rate numbers.”
The TGLoader malware typically is in otherwise legitimate apps repackaged to include the malicious code. Once it’s on the device, the malware will start a new service inside the compromised app, which will then start every time the app executes.
“Upon the execution, it will copy all of its payloads, including native binaries and embedded apks into the current directory. In the meantime, it will also launch the exploid root exploit to elevate its privilege. After getting the root privilege, it will copy enclosed native binary programs into the system partition. One particular native program will connect to the remote C&C servers with information collected in the infected phones and wait for instructions,” Jiang said.
The researchers have not found the TGLoader malware in the official Android Market at this point. There have been incidents in the last year with malware in apps in the Android Market and Google has shown a willingness to pull those apps from the market, as well as from users’ phones, when identified.