The TGLoader malware appeared in some alternative Android app markets recently, and researchers at North Carolina State University discovered and analyzed it, finding it has a wide range of capabilities.
The malware uses the “exploid” root exploit to get root privileges on compromised phones, and from there it starts installing a variety of apps and Android code that are designed to perform myriad malicious actions. “After that, it further installed several payloads (including both native binary programs and Android apps) unbeknownst to users.
The malware also listens to remote C&C servers for further instructions. Specifically, one particular “phone-home” function supported in TGLoader is to retrieve a destination number and related message body from the C&C servers. Once received, it composes the message and sends it out in the background.
This is a typical strategy that has been widely used in recent Android malware to send out SMS messages to premium-rate numbers,” an assistant professor at North Carolina State wrote in an analysis of the new malware.
From ThreatPost by Dennis Fisher