Snowblind Tampering Technique May Drive Android Users Adrift

  /     /     /  
Publicated : 23/11/2024   Category : security


Snowblind Tampering Technique May Drive Android Users Adrift


As cybersecuritys cat-and-mouse game starts to look more like Tom and Jerry, attackers develop a method for undermining Android app security with no obvious fix.



Hackers from Southeast Asia have turned Androids own best application security mechanism against itself, severing the link between kernel and application in order to perform any kind of tampering they wish.
This method is being employed by new malware called Snowblind, which targets at least one banking app in Southeast Asia. Snowblind works by abusing the ubiquitous and otherwise sterling Linux security feature seccomp — short for secure computing — in order to trap and modify system calls in transit, in effect isolating an application from the protocols and information it needs to detect malicious tampering.
In security, nothing is bulletproof, says Jan Vidar Krey, vice president of engineering at Promon, lamenting the weaponization of such a core Android security feature. Everything can be circumvented to some extent, which is a harsh, brutal way of looking at it, but thats the reality.
As Promon describes in
its report on Snowblind
, the most common way hackers undermine Android devices is by tricking users into
granting them accessibility permissions
, which they can use to various malicious ends.
Because this is so common, though, experienced developers already know how to account for it. For example, apps can query the operating system to check for untrusted accessibility services, and then react accordingly, as Promon discusses in its report.
Attackers, for their part, can try to identify and sabotage the parts of an apps code that do that job by
repackaging
them — downloading, modifying, and re-uploading malicious versions of legitimate apps.
To prevent repackaging, developers can be proactive by protecting their code with obfuscation, or they can be reactive by opening an apps Android package (APK) file on disk and reviewing its contents.
Attackers have their own methods for concealing their malicious repackaging, though. For example, they can hook into that anti-tampering file reading process and redirect it to an unmodified version of the same app. But developers know about and can account for that as well by implementing the necessary system calls in native libraries rather than the C standard library.
So at this point, forced into a corner, attackers needed a new way of preventing secured apps from detecting their tampering.
Snowblind — the next evolution in this grand game — tries something new. It puts its focus not on accessibility services per se, or the apps code, but the seccomp security feature in between.
This seccomp mechanism is the foundation of everything that youre seeing in the cloud today, Krey notes. In addition to Android — since version 8.0 Oreo — its used by containerization technologies like Docker (by default) and Kubernetes, Chromium browsers, and more.
It works by sandboxing applications, allowing or blocking calls they might make to the operating system as defined by a system administrator. But these days, Krey explains, What were seeing with Android is that malware is using these same security tricks to prevent an application from seeing whats actually going on on the rest of the system. And basically just showing it what the attacker wants it to see.
First, Snowblind repackages an app with a library that will be loaded before any anti-tampering mechanisms can run. This library includes a seccomp filter, which looks out for a very select few system calls — like open(), used for opening files or other resources — and traps them. Before allowing the call to be executed, it uses a signal handler to modify it, pointing it to a file thats the original, unmodified version of the app.
In other words, like a little man in the middle of the device, the malware traps and misdirects the signals an app needs to know whether it has been tampered with.
Having fully isolated an app, a banking Trojan can freely use accessibility services to perform any number of malicious actions on a device: steal and exfiltrate credentials, intercept two-factor authentication (2FA) codes, and disable further application security features, among other functions.
And, Promon noted, Snowblinds strategy can be used to do more than just defeat anti-tampering on Android phones. In cloud or containerized environments, Chromium browsers, or any other type of system relying on seccomp, it can, in theory, be used to trace and manipulate any code that relies on system calls, for whatever reason.
How will defenders respond, then? For Krey, there isnt any obvious seccomp-oriented fix, as its so crucial to protecting these systems in the first place. Seccomp is an integral part of lots of different applications, he explains, so I dont really know how they would fix it. And I dont really see that they should fix it, to be honest. Its kind of a paradoxical thing.
Instead, Google and its customers can focus on shunning maliciously repackaged apps before theyre downloaded. In Southeast Asia, we believe these types of apps have likely spread outside of the official app stores. This has almost certainly been achieved via social engineering attacks, a still very prevalent and widely reported method of duping less tech-savvy users. And fake malicious apps still make their way onto major app stores, he explains. With this in mind, a stronger policing of the Play Store and tighter verification process for uploaded apps would mitigate the spread of Snowblind.
Google, for its part, appears unfazed. In a statement to Dark Reading, a company spokesperson claimed that the company already knew about Snowblind before Promons report. Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play, Google said in its statement.

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Snowblind Tampering Technique May Drive Android Users Adrift