Android malware developers are misusing techniques unearthed in GitHub projects to bypass security measures introduced in the latest versions of the mobile OS.
GitHub, the largest host of source code in the world, is the home of a huge number of public projects. And, as we’ve witnessed in the example of Hidden Tear, the PoC ransomware published on GitHub by a Turkish computer engineering student, malware makers are happy to repurpose effective source code from anywhere.
Symantec researchers believe that the most recent variants of Bankosy (banking info stealer) and Cepsohord (click fraud) Android Trojans have been equipped with tricks based on performance features of two projects found on GitHub.
Developers of the Bankosy Trojan have been trying to find an alternative way for the malware to detect running apps so that it can lay the appropriate information-stealing screen over it.
With Android 5.0 (Lollipop), Google made it impossible for third-party apps to use the getRunningTasks API to detect which app is open at a given moment.
Researchers posited that developers of credential-stealing malware with screen overlay capabilities will revert to tricking users to switch on Android’s accessibility service in order to get that information. But, it seems that they still prefer tricks that don’t require user interaction or additional permissions.
One of the newly implemented techniques, apparently lifted from this project, allows the Trojan to read the “/proc/” file system to enumerate running processes and to find the current foreground app.
The other misuses the UsageStatsManager API to query the usage statistics of all the applications for the past two seconds, and deduce which app is currently in use.
“The malware requests the user to grant a system-level permission, ‘android.permission.PACKAGE_USAGE_STATS’, to use this API. This permission can only be granted through the Settings application. In order to overcome this, the malware uses social engineering by programmatically starting the usage access permission activity while masquerading as Google Chrome by mimicking the app’s icon and name,” the researchers found.
“The malware author may have got the inspiration for this idea from a proof-of-concept overlay malware project also hosted on GitHub. This technique of programmatically starting this particular activity is not supported by certain OEM vendors, such as Samsung.”
And so the arms-race between Google and Android malware developers continues.
According to the researchers, Google is already planning to prevent the first technique from working in the upcoming Android version.