Incident Response, Malware, TDR

New iDroid mobile trojan said to impact iOS and Android devices

A new piece of mobile malware being offered up on Russian underground forums might be capable of attacking devices running either iOS or Android operating systems.

Researchers with Israel-based cyber intelligence company SenseCy recently discovered the trojan – named, perhaps appropriately, iDroid – being sold for about $800, according to a Monday post, which explains buyers must leave contact details with the seller in order to obtain the malware.

While noteworthy for impacting Android versions 2.2 and up, and iOS versions 7.1 and below, iDroid has many other capabilities, including keylogging, credit card and email grabbing, SMS sending and interception, conversation and screenshot recording, and stealing data from mobile wallets, such as QIWI.

Responders on the forums have been fairly skeptical of the malware, particularly because of how tough it is to infect iOS, but perhaps more because of how challenging it is to code a trojan that can impact two entirely different operating systems.

But it may not be impossible.

“There has been cross-platform malware in the past; however, it was usually a name for several components that were specific to the operating system and were loosely combined, or was using languages [such as] Java,” Assaf Keren, CTO of SenseCy, told on Monday.

Keren said that he cannot comment on whether iDroid actually does any of what it claims because technical analysis of the trojan has yet to be concluded, but after seeing a video that details much of the malware's offerings, he said it is likely that iDroid does at least some of what it asserts.

“The seller is very reputable in the underground – that makes it less likely to be a scam,” Keren said. “In these areas, if you're caught scamming and lying, you'll probably be kicked out and your revenue stream will stop.”

Version 0.8 of iDroid, said to be in the works, would add a utility for writing Zeus-like injections into banking and payment system applications, as well as enable automatic injections into 56 banking applications and automatic delivery of the trojan via Bluetooth, according to the post.

[An earlier version of this story reversed the iOS and Android versions that were impacted].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.