A new Android malware called Snowblind uses an innovative technique to bypass app security protections. With this extremely stealthy technique, hackers can steal personal and banking data without being detected.
THE cyber attacks aiming at the smartphones are in constant increase. According to a report by the National Agency for Information Systems Security, attacks on mobile phones increased by 30% in 2023. Among the new threats, sophisticated malware such as PixPirate has become undetectable. This worrying trend continues with the appearance of Snowblind, a malware that uses a new technique.
Snowblind stands out for its using a security feature integrated into the Android Linux kernel. This malware is more exactly a banking trojan. Its goal is to steal personal data by abusing the seccomp mechanism. Promon researchers discovered that this method allows it to bypass application protection measures to make the attack virtually undetectable to users.
Snowblind Hijacks Android Smartphone Security Measures to Steal Data
Present since 2018 on Android 8 Oreo, seccomp is designed to limit the system calls that an application can make. This reduces the risks of malicious interactions with the operating system. Snowblind uses this feature to bypass security measures implemented by Android to prevent unauthorized modifications to applications.
By exploiting Secure Computing, this malware changes applications and uses accessibility services to access users’ personal data. These services, originally designed to help visually impaired people, are regularly hijacked by malware.
The process is complex but effective. Snowblind injects code into the target application before security mechanisms are enabled. Then, it sets up a seccomp filter to manipulate or monitor access to the application’s files. This method allows cybercriminals to read sensitive information displayed on the screencontrol applications, and bypass security measures by automating interactions.
According to Promon researchers, This technique is still little known and few developers have implemented protections against this type of attack. Google claims that no apps infected with this malware have been found on the Play Store, but vigilance is still required. It is therefore crucial to be careful about what you download andavoid unofficial sources.
Source: Promon