An Android application distributed currently only in China can steal a user’s Twitter credentials and uploads them to an online server.
The malware’s name is “Dual Instance,” nicknamed this way after a feature found in most social media apps today that allow users to log in with multiple accounts.
Because the Chinese government blocks Twitter in China, users who want to use the social network have to find other “means” to connect to the service.
Since not everyone is tech-savvy enough to install a VPN and then download and install the official Twitter Android app, malware authors are exploiting this to their advantage.
Security researchers from Avast say they’ve discovered a variation of the official Twitter Android app, spread in China via online forums.
The app’s maker tells users they can install his app and access Twitter, despite the national ban. To get a leg up on his competitors, who are also offering cloned Twitter apps, the author says that users can also run multiple accounts at the same time.
Avast researchers say that this app, which also uses the official “Twitter” name, secretly logs username and password data entered inside the app’s login field.
The app works by starting a VPN connection to Twitter servers when the user starts the fake Twitter app. The VPN allows the app to retrieve Twitter content and bypass China’s state-sanctioned firewall.
Avast says that this app is not a pure clone of the official Twitter app, and as such, cannot support multiple accounts by default. To deliver on the promised behavior, the app also includes VirtualCore, an open-source framework that allows developers to create small virtual machines (sandboxes) in which to run another Android app.
Both the original app and the VirtualCore-based instances include functions that record whatever the user types in his username and password field when setting up the app and its various accounts.
The app then sends this data to the Android logcat service, from where the Dual Instance malware retrieves the username and passwords, and uploads them to a remote server.