While analysts figure out new methodologies for
analyzing malware and users begin to understand how all this works,
cybercriminals are seeking new ways to hide in phones and compromise devices.
The convoluted tricks used to increase the
effectiveness of their attacks can be grouped into two distinct categories:
First, Social Engineering strategies that seek to confuse users; and second,
sophisticated technical mechanisms that try to obstruct malware detection and
analysis.
This article summarizes some of the common
behaviors of malicious Android code over the last few years.
Deceit based on Social Engineering
Use fraudulent accounts in the Play Store to
distribute malware
Malware in the official Google store never
stops appearing. For cybercriminals, sneaking their malicious applications into
the marketplace of genuine apps is a huge victory, as they can reach much more
potential victims so have an almost rock-solid guarantee of more infections.
What’s more, the fake developer accounts used to
spread insecure or malicious apps try to look as similar as possible to real
accounts, in order to dupe unsuspecting users who end up getting confused by
them. In a recent example of this, researchers discovered a fake app for updating WhatsApp that used a Unicode
character trick to give the impression of being distributed through the
official account.
Take advantage of commemorative dates and
scheduled app release dates
A common practice in the world of cybercrime is to
make malware look like versions of apps – games, mostly – that have gained
sudden popularity, which are either scheduled for release or are not available
in official stores for certain countries. This happened with Pokémon
GO, Prisma and Dubsmash, adding hundreds of thousands of
infections worldwide.
Tapjacking and overlay windows
Tapjacking is a technique that involves
capturing a user’s screen taps by displaying two superimposed apps. So the user
believes that they are tapping on the app that they are seeing, but they are
actually tapping on the underlying app, which remains hidden from view.
Another similar strategy, which is widely used in
spyware for credential theft in Android, is overlay windows. In this scam,
the malware continually tracks the app that the user is using, and when it
coincides with a certain objective app, it displays its own dialog box that
looks just like the legitimate app, requesting credentials from the user.
Camouflaged among system apps
By far, the easiest way for malicious code to hide
on a device is to pass itself off as a system app and go as unnoticed as
possible. Malpractices such as deleting the app icon once the installation is
finished or using names, packages and icons of system apps and other popular
apps to compromise a device are strategies that are emerging in code like
this banking Trojan that passed itself off as Adobe Flash Player to steal
credentials.
Simulating system and security apps to
request administrator permissions
Since Android is structured to limit app
permissions, a lot of malicious code needs to request administrator permissions
to implement its functionality correctly. And granting this permission makes it
more difficult to uninstall the malware.
Being camouflaged as security tools or
system updates gives cybercriminals certain advantages. In particular, it
allows them to shield themselves behind a trusted developer, and consequently
users do not hesitate to authorize the app to access administrative functions.
Security certificates that simulate true data
The security certificate used to sign an
APK can also be used to determine if an app has been altered. And while
most cybercriminals use generic text strings when issuing a certificate, many
go to the trouble of feigning data that correspond to the data used by the
developer, going one step further in their efforts to confuse users who carry
out these checks.
Techniques for complicating analysis
Multiple functionalities in the same code
A trend that has been gaining ground in recent
years in the mobile world is to combine what used to be different types of
malware into a single executable. LokiBot is one example of this, which is a banking Trojan
that tries to go unnoticed for as long as possible in order to steal
information from a device; however, if the user tries to remove the
administrator’s permissions to uninstall it, it activates its ransomware
feature by encrypting the device’s files.
Hidden apps
The use of droppers and downloaders,
i.e., embedding malicious code inside another APK or downloading it from the
internet, is a strategy that is not only limited to malware for laptops and
computers, but is also universally used by malicious mobile code writers.
As the then known Google Bouncer complicated
cybercriminals’ ability to upload malware to the official store, the attackers
chose to include this type of behavior to try to bypass controls … and it
worked! Well, for a while at least!
Since then, these two forms of malware coding have
been added to the portfolio of most used malicious techniques.
Multiple programming languages and volatile
code
New multiplatform development frameworks and
new programming languages are emerging all the time. What better way to mislead
a malware analyst than to combine languages and development environments, such
as designing apps with Xamarin or
using Lua code to execute malicious commands. This strategy changes the final
architecture of the executable, and adds levels of complexity.
Some attackers add to this combo by using dynamic
script loading or portions of code that are downloaded from remote servers and
deleted after use. So once the server has been removed by the cybercriminal, it
is not possible to know exactly what actions the code performed on the device.
Samples with these characteristics began to appear
towards the end of 2014, when researchers published particularly complex malware analysis.
Synergistic malware
An alternative for complicating the analysis of a
sample is to divide the malicious functionality into a set of apps that are
capable of interacting with each other. By doing so, each app has a subset of
permissions and malicious functionality, and they then interact with each other
to fulfill a further purpose. Moreover, for an analyst to understand the true
function of the malware, they must have access to all individual apps as if
they were pieces of a puzzle.
And while this is not a commonly used strategy,
there have already been samples that exhibit this type of behavior, as
a publication on Virus Bulletin recently demonstrated.
Covert channels and new communication
mechanisms
To communicate with a C&C server or other
malicious apps, malware needs to transfer information. This can be done via
traditional open channels or hidden channels (personalized
communication protocols, brightness intensity, wake locks, CPU utilization,
free space in memory, sound or vibration levels, and accelerometers, among
others).
Furthermore, in recent months we have seen how
cybercriminals are using social networks to transfer C&C messages, such
as Twitoor, the botnet that uses Twitter accounts to send commands.
Other anti-analysis techniques
The use
of packaging, anti-emulation, anti-debugging, encryption, and obfuscation,
among other evasion techniques, is very common in malware for
Android. To get around these types of protections, it is possible to
use hooking of functions, perhaps through apps such as Frida.
It is also possible to use analysis environments
that try to dodge these controls by default, such as MobSF—which includes
some anti-emulation techniques, AppMon, or Inspeckage—where, for
example, flat text strings can be seen before and after being encrypted,
together with the keys used.
To prevent infections, don’t forget to check out
these potentially malicious behaviors and find out how to check if your phone has been compromised.