What is Trojan.Dropper.RealShell?
Trojan.Dropper.RealShell is an APK which creates another APK on an infected device. And then that other APK creates another APK on the device.
Let's get technical!
The way that Trojan.Dropper.RealShell creates another APK is very interesting and peculiar.
To create a new APK file, this trojan uses various files found inside the infected device's Assets folder as components. It then compiles all of it into an Android RandomAccessFile with a '.lock' file extension in a manually assigned sequence. This file sequence is chosen by a hex key, which was generated using the parent malicious apps' package name, that was plugged into a complex algorithm within the code.
Interestingly enough, this new APK doesn't have a manifest file or other resource files that are necessary for the app to run. However, the new APK utilizes an Android class known as DexClassLoader and then uses it's parent APK's manifest and resource files.
The parent APK transforms into a different app that has new features but uses the same resources stored in the parent APK to create another APK(using special libraries stored in the parent APK) aka PUP.RiskPay.Skymobi, a SMS malware.
Sounds confusing?
Basically, Trojan.Dropper.RealShell creates a new APK(let's name that APK-1.lock). The new APK(APK-1.lock) uses Trojan.Dropper.RealShell's(parent APK) manifest and resource files by using DexClassLoader to run and create another APK(PUP.RiskPay.Skymobi).
No comments:
Post a Comment