- Oct 23, 2012
- 12,527
An Android application distributed currently only in China can steal a user's Twitter credentials and uploads them to an online server.
The malware's name is "Dual Instance," nicknamed this way after a feature found in most social media apps today that allow users to log in with multiple accounts.
Because the Chinese government blocks Twitter in China, users that want to use the social network have to find other "means" to connect to the service.
Since not everyone is tech-savvy enough to install a VPN and then download and install the official Twitter Android app, malware authors are exploiting this to their advantage.
"Dual Instance" Twitter app spread via Chinese forums
Security researchers from Avast say they've discovered a variation of the official Twitter Android app, spread in China via online forums.
The app's maker tells users they can install his app and access Twitter, despite the national ban. To get a leg up on his competition, which is also offering cloned Twitter apps, the author says that users can also run multiple accounts at the same time.
Avast researchers say that this app, which also uses the official "Twitter" name, secretly logs username and password data entered inside the app's login field.
The malware's name is "Dual Instance," nicknamed this way after a feature found in most social media apps today that allow users to log in with multiple accounts.
Because the Chinese government blocks Twitter in China, users that want to use the social network have to find other "means" to connect to the service.
Since not everyone is tech-savvy enough to install a VPN and then download and install the official Twitter Android app, malware authors are exploiting this to their advantage.
"Dual Instance" Twitter app spread via Chinese forums
Security researchers from Avast say they've discovered a variation of the official Twitter Android app, spread in China via online forums.
The app's maker tells users they can install his app and access Twitter, despite the national ban. To get a leg up on his competition, which is also offering cloned Twitter apps, the author says that users can also run multiple accounts at the same time.
Avast researchers say that this app, which also uses the official "Twitter" name, secretly logs username and password data entered inside the app's login field.
The way the app works is to start a VPN connection to Twitter servers when the user starts the fake Twitter app. The VPN allows the app to retrieve Twitter content and bypass China's state-sanctioned firewall.
Malicious app uses sandboxed environments to suppport dual accounts
Avast says that this app is not a pure clone of the official Twitter app, and as such, cannot support multiple accounts by default. To deliver on the promised behavior, the app also includes VirtualCore, an open-source framework that allows developers to create small virtual machines (sandboxes) in which to run another Android app.
Both the original app and the VirtualCore-based instances include functions that record whatever the user types in his username and password field when setting up the app and its various accounts.
The app then sends this data to the Android logcat service, from where the Dual Instance malware retrieves the username and passwords, and uploads them to a remote server.
Non-Chinese users should fear the malware as well
Technically, the malicious behavior is app agnostic, and could, in theory, be ported to other apps that need dual instance behavior.
While currently targeting Chinese users, the rest of Android users should also be very, very careful. While Twitter or Instagram provide support for dual accounts, there are many other apps that don't.
Searching the Google Play Store, you can find tens of apps that provide dual account support for popular apps that don't support this feature by default. Malware authors will find a fertile ground from where to harvest user credentials, if they find a way around Google's app review process.