An upgraded Android trojan dropper capable of dodging traditional defences has been uncovered by researchers at Malwarebytes.
Malwarebytes senior malware intelligence analyst Nathan Collier reported in a blog post that the Dropper RealShell tool is further proof that malware developers are creating increasingly complex attack strategies.
"Every Android Application Package (APK) has resources in it. Resources are folders and files within the APK that the app uses to run. There are two folders that are optional folders within an APK. One is the 'raw' folder which is stored within a folder named ‘res'," Collier explained to V3.
"The ‘res' folder always exists. Another optional folder is the 'Assets' folder stored at the root of the APK. Many trojan droppers simply store a malicious APK within the Assets or raw folder, then drop it onto the Android device once installed."
Droppers are programs designed to install unwanted or malicious files onto victim systems without the device owner's knowledge.
The traditional Android trojan droppers obfuscated their movements in the Android Application package, but Collier said that the upgraded version is more complex as it uses an atypical file library building technique.
"Instead of having the full APK stored, it instead builds the APK by concatenating several files together. The files it uses are stored in the Assets folder. It does this to obfuscate the fact that it's a dropper," he said.
"If you looked in the Assets folder of Dropper RealShell, all you would see is the files it uses to build the APK. These files at first glance just look like random junk files. Only by looking deeper into the code do you realise its true intentions."
Malwarebytes said it is yet to see evidence of hackers actively using the dropper to spread malware and are instead pushing Potentially Unwanted Programs (PUPs).
"The development of Dropper RealShell surely took quite a bit of time by skilled malware developers. It is doubtful that a hacker would take the time to replicate what Dropper RealShell does," Collier told V3.
"Right now, Dropper RealShell is dropping a payload of a PUP that is PUP.RiskPay.Skymobi, a shady SMS payment SDK. It is more of a concern that the malware developers will continue to use this technique, but drop payloads that are more dangerous than just a PUP."
The dropper is one of many sophisticated defence-dodging attack tools to be uncovered in recent months.
Researchers at Symantec reported earlier in June that hackers targeted almost 200,000 computers using a dangerous, upgraded, 'file-less' version of the Poweliks malware over the past six months.
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...
Are you on the list?
Update will limit background activities of apps to improve battery life (hello, Skype!)