Computer criminals have been identified to spread a new Dual Instance malware that steals the Twitter account credentials of the compromised users.
Dual Instance Malware Plagues Users
Do you often use applications that require registration through various social networks? A lot of Internet services nowadays offer the users to login through Facebook, Twitter and other popular social networks to ease up the registration process. It appears that computer criminals have used this fact to their advantage.
Hackers have created and spread a new Dual Instance application that steals their victim’s Twitter account credentials. The malware is actually employing the Dual Instance technique to fool users into installing and using it. This allows them to run more than one instance of a mobile application simultaneously.
The captured samples of the dangerous program have been uncovered from an online chat group originating from China. The reasons are that some web sites cannot be accessed freely from the country and this is why the users have used unofficial apps that use proxies or VPN connections to use these services. However these crafted application replacements have been found to contain dangerous malware code. While it is often possible to find legitimate programs that have this feature, it is quite easy to distribute dangerous copies or counterfeit apps in many third-party repositories, which are often used by Chinese users.
The rogue Android App overcomes some of the mobile operating system’s security features such as the sandboxing mechanism. Its developers have devised several aspects that mimic the official Twitter app such as a forged certificate that is almost identical to the official client.
The behavior of the Dual Instance rogue app is interesting. The malware hides its package in the asset directory of the original Twitter client. To cheat the user the malware uses a very similar package name. When it is started the data.apk file is extracted and then loaded. This loads a VirtualCore environment which allows the app to run an embedded application without an actual installation.
This is an open-source solution that is popular with app developers. The malware’s logic is to infiltrate the device using this sophisticated approach. A careful code analysis of the rogue apps shows that its aim is to capture the account credentials of the victim users – namely their username and password. They are outputed to a file and then sent to the remote attackers. The interesting fact is that it sets up a local VPN service before the Twitter app is actually executed on the local device. This step is an extra precaution that makes delivery of the stolen information much more effective.