Reg comments7

New Android tricks for modern malware licks

Copy+paste crew rip off white hat proof-of-concepts and make them dangerously real

Symantec engineer Dinesh Venkatesan says malware writers have one up on Google with the pillaging of a keystone trick that permits attacks on Android Marshmallow.

The method was extracted from white hat proof-of-concept works published initially to show how malware could extract credentials from Android apps.

It allows malware to determine the running apps on a device and relies on social engineering users.

Google and disparate white hats, including Venkatesan, have identified and eliminated avenues through which malware could trick users into tapping various security approval buttons using screen overlays that make the apps and their suggested taps appear benign.

The first trick steals from a GitHub project that helps researchers bypass Android security measures, and will fail on Google's looming hardened operating system codenamed N. Symantec explains this problem as follows:

This technique uses a popular open source project hosted on GitHub and does not require any additional permissions. It reads the "/proc/" file system to enumerate running processes and finds the current foreground app. It should be noted that the open source project itself is not malicious—the malware authors just leverage this project to get around security measures.

The second takes advantage of an API introduced in Android Lollipop version five. Here's the dope:

"This technique uses the UsageStatsManager API introduced in Android 5.0 to gain access to a device’s usage history and statistics. The malware queries the usage statistics of all the applications for the past two seconds and then computes the most recent activity.

Malware seen using the latter technique appears on the usage security approval list as Google Chrome using the browser's name and icons. The masquerade unravels on some OEM droid vendors like Samsung.

"It is interesting to monitor how relentlessly the malware authors try to outsmart new security enhancements," notes Venkatesan. "Here the attackers have employed an effective social-engineering technique to remind us once again that the security of any system takes into account users’ level of awareness."

Security in Android N will be tighter, with previous attack surfaces including Stagefright likely shuttered thanks to new architectures.

Updating will be easier and lighter, says Android Central, with core elements patched without need of a user-deterring full update.

File encryption is introduced in N which will be less onerous on handsets and harder for outside parties to access. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017