In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of malware, with code obfuscation standing out as a deceptive technique. This method intentionally distorts code elements, rendering them inscrutable to the untrained eye, impeding analysis and complicating the decompilation process. Symantec's recent investigation unravels a Spyware cluster employing ingenious techniques to elude static analysis. Resource camouflage emerges as a stealthy strategy, where mobile applications strategically place concealed resources within APK files, mirroring the names and permissions of vital resources. This confounding tactic challenges analysis tools and complicates the extraction process. StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices. Another method involves employing unsupported compression methods in APK files, disrupting third-party libraries, and intensifying the complexity of analysis. This compression trickery adds an extra layer of obfuscation, heightening the challenge for security analysts. Intriguingly, the Spyware cluster utilizes "No compression" data to evade signature scheme verification, exploiting Android's flexibility in supporting both compression methods. By introducing unsupported compression entry codes, these spywares navigate through the Android security infrastructure, avoiding detection through signature schemes. Resource obfuscation disrupts reverse engineering tools by introducing invalid attributes and illegal resource IDs in AndroidManifest. Tools like Apktool, Jadx, and JEB encounter challenges when faced with obfuscated elements, underscoring the cunning employed by this spyware. The Spyware cluster adopts a multifaceted scheme, disguising itself as popular games, apps, and even system-level applications. Once installed, these deceptive apps seek accessibility permissions, facilitating the monitoring and reporting of user activities to a designated server. The C&C sections of these spywares introduce noise, including junk code and irrelevant strings, into essential methods. This obfuscation aims to disrupt static analysis tools, yet careful scrutiny reveals a specific format in the server's responses, enabling command execution. Employing anti-killing/uninstalling methods, the spyware safeguards itself by triggering actions like 'HOME' or 'BACK' when users attempt to terminate or uninstall the app. The Spyware cluster underscores the dynamic nature of mobile threats, necessitating robust security measures. Users are urged to install security apps, avoid downloading from unfamiliar sources, keep software updated, scrutinize app permissions, and maintain frequent backups as essential safeguards in this ever-evolving landscape. Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 30 Nov 2023 21:55:08 +0000