Promon security researchers are sounding the alarm. For several months, Android malware called Snowblind has been exploiting a new technique “to attack Android applications”The virus, described as a banking Trojan, seeks to exfiltrate users’ personal data, including identifiers.
To achieve its ends, the malware abusesa security mechanism built into Android’s Linux kernelbaptized « seccomp » (Secure Computing). Present since Android 8 Oreo, this protection is designed to restrict the system calls that an application can make, which limits the possibility of interacting with the operating system. Ultimately, the protocol reduces the potential attack surface.
Also read: Hackers have found the trick to bypass two-factor authentication
Bypass Android app protections
The virus will exploit this mechanism to bypass Android’s tampering protections. These protections are in place to prevent unauthorized modifications to installed applications. By leveraging Secure Computing, Snowblind can modify an application and exploit Android’s accessibility services to steal users’ personal data. These settings, which are supposed to help visually impaired people use their smartphones, are regularly hijacked by malware. This is also the modus operandi of the latest variant of the Medusa malware.
Concretely, Snowblind will inject code into the targeted application before the security mechanisms against changes are activated. Then the malware configures a “seccomp” filter which will allow it to manipulate or monitor access to application files. The pirates actually realize “a repackaging attack on the application they are targeting, where the part of the application code that detects malicious accessibility services is manipulated so that it never detects anything”. This attack, very common, is however improved by “a lesser known technique based on seccomp”. The combination of processes allows cybercriminals to achieve their goals.
This strategy also lets Snowblind operate discreetly. The exploitation of Secure Computing in fact limits the impact on performance. The attack is completely imperceptible to the victim. According to the researchers, the malware ultimately reaches “read sensitive information displayed on the screen, navigate the device, control applications, bypass security measures by automating interactions that would typically require user intervention”and to “exfiltrate sensitive personally identifiable information”.
A little-known attack
According to Promon researchers, this tactic is still largely unknown. De facto, application developers have not yet implemented protections against this type of cyberattack. In its report, the security company indicates that it has not “never seen seccomp be used as an attack vector before and we were surprised to see how powerful and versatile it can be if used maliciously”.
“Attackers now have a powerful new tool to attack an application effectively”warns Promon.
Experts noticed that Snowblind was involved in the attack on an app owned by an Asian developer. It is unclear whether the malware is currently being used to carry out other cyberattacks against Android apps. Contacted by Bleeping Computer, Google assures that no application infected by Snowblind has been found on the Play Store.
To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Promontory
