A new version of the Andoid.Xiny trojan that can now root a device to gain admin privileges and that is harder to uninstall has been spotted by security researchers.

The latest mutation called Android.Xiny.60 was spotted by the Russian cyber researcher Doctor Web. The main upgrade noted was that the malware no longer has to trick its victims into giving it admin permissions, but instead roots the device and takes what privileges needs. Once on the device Android.Xiny.60 extracts the malicious components from its resource folder and copies them into the following directories:

  • /system/xbin/igpi;
  • /system/lib/igpld.so;
  • /system/lib/igpfix.so;
  • /system/framework/igpi.jar.

The malicious code then waits for one of several actions to take place, home screen activation, charger connection or change in network connection before it attempts to connect to its command and control server. When this is done it downloads stolen data to include MAC address, OS version, mobile device model and system language.