Snowblind malware bypasses Android security unnoticed

Security specialists have recently discovered a new form of malware known as “Snowblind.” This malware exploits Android’s ‘seccomp’ security feature to bypass anti-tampering measures in apps. This crafty malware gathers login data and takes control of the device undetected.

Snowblind” infiltrates a device through third-party app stores, skillfully disguising itself as a harmless part of the downloaded application. However, the malware’s truly troublesome capability lies in its ability to mimic ordinary app processes, making it difficult for antivirus software to detect.

The uniqueness of “Snowblind” is its utilization of ‘seccomp.’ Seccomp is a feature of the “Linux kernel security” that Android employs for integrity assessment. It prevents malicious activities, but Snowblind perverts its purpose, using it to evade detection while compromising device security.

Snowblind’s activities first came to light during a Promon investigation, a mobile app security company examining a sample from i-Sprint, an enterprise providing security for access and identity systems. The malware targeted one of i-Sprint’s Southeast Asia clients, specifically an app containing sensitive information.

This case highlights the need for digital businesses to continually update and enhance their security measures to counter advanced cyber threats. Traditional security measures proved ineffective against Snowblind, which transformed genuine apps into harmful ones through “repackaging,” allowing it to infiltrate the system undetected.

Seccomp, as a security feature, limits an application’s exposure to attacks and filters system calls.

Snowblind malware subverts Android security unseen

Implemented in Android 8 (Oreo), it offers proactive protection for systems, terminating applications when they make system calls not on the app’s permitted list. With every update, Android continues to improve Seccomp’s refined and robust security features.

Snowblind operates by selecting applications that deal with sensitive data and injecting a library that sets up a filter to intercept system calls. This interception allows it to manipulate data undetected, bypassing systems designed…