Promon, a leading mobile app security provider, has discovered a new Android malware called Snowblind. In their report, shared ahead of its release with Hackread.com on Wednesday, June 26th, Promon revealed that this malware exhibits a unique ability to bypass even the strongest anti-tampering mechanisms by disabling an app’s ability to detect malicious modifications, exposing users to risks like financial loss and fraud.
It achieves its malicious objectives by manipulating the Accessibility Services and the ‘seccomp’ feature on Android devices. For your information, ‘seccomp‘ (secure computing) is a safety filter in the Linux kernel that restricts an app’s ability to make system calls or requests from the operating system. Accessibility Services enable users with disabilities to interact with and modify app interfaces, read screen content, input text, etc.
Snowblind aims to prevent the detection of repackaged apps by bypassing anti-tampering mechanisms in the targeted app. It modifies apps to avoid the detection of accessibility services and uses seccomp functionality to intercept and manipulate system calls, allowing it to bypass security checks and remain undetected. It also installs a seccomp filter to trap specific system calls and uses a signal handler to intercept and modify these calls to prevent detection.
Through this filter, Snowblind checks the origin of system calls, enabling it to generate a signal only if the call comes from an anti-tampering library. This improves the attack’s speed and allows attackers to filter, inspect, and manipulate any system call.
As per Promon’s blog post, the malware can also manipulate and trace any code reliant on system calls, even if it implements the system calls and makes them hard to find and patch, making it a powerful tool for bypassing anti-tampering mechanisms.
Through its manipulation capabilities, Snowblind can target multiple apps or system functions, including banking apps, to steal login credentials, hijack user sessions, and disable security features like 2FA or biometric verification.
Additionally, Snowblind also exfiltrates sensitive information and transaction data, exposing victims to fraud. It is effective on all modern Android devices, providing a wider range of attack possibilities.
To protect against Snowblind and similar threats, Android users should download apps from trusted sources and official app stores like Google Play, update their devices regularly, consider using a mobile security solution, and be cautious of unusual app behaviour. If an app starts consuming excessive resources or exhibiting unexpected permissions requests, uninstall it and report it to the developer or app store.
RELATED TOPICS
- SpyNote Android Spyware Poses as Legit Crypto Wallets
- Widespread Use of Rafel RAT Puts 3.9B Android Devices at Risk
- Arid Viper’s AridSpy Trojan Hits Android Users in Palestine, Egypt
- Antidot Android Malware Poses as Google Update to Steal Funds
- Android Malware Poses as WhatsApp and Instagram to Steal Data
