This new malware on Android can bypass security to steal data
A new Android malware called Snowblind has emerged and it’s using a clever trick to bypass security. Named Snowblind, this malware exploits a feature meant to protect users – a security check called “seccomp” – to hide its tampering with legitimate apps.
Snowblind “repackages” these apps, making them blind to the fact that Snowblind is now piggybacking on them. This allows the malware to misuse accessibility services, which are meant to assist users, but in this case, are hijacked to steal login information or even remotely control the device for malicious purposes.
How this malware can be dangerous
According to a report by BleepingComputer, researchers at mobile security company Promon have discovered this malware strain called Snowblind targeting Android devices. This malware leverages tactics to bypass existing security measures.
Snowblind specifically targets apps that handle sensitive user information. The malware exploits a security feature called “seccomp” that’s designed to protect users. Seccomp restricts the actions apps can take, preventing malicious activities.
The malware injects malicious code into the targeted app before its security checks can run. This allows Snowblind to install a filter within seccomp, essentially manipulating the system calls the app can make.
When the app tries to verify if it’s been tampered with (a security check), Snowblind’s filter intercepts this action and blocks it. This prevents the app from detecting Snowblind’s presence.
Snowblind further manipulates the system by altering the app’s attempts to access files. It redirects these attempts to an uninfected version of the app, effectively hiding its tampering from the security check.
What this means for users
Snowblind’s use of a security feature makes it a particularly dangerous threat. The targeted nature of its attack also minimises its impact on device performance, further reducing the chances of users noticing anything unusual. This underlines the importance of staying vigilant and relying on reputable security solutions to protect your mobile devices.
Snowblind “repackages” these apps, making them blind to the fact that Snowblind is now piggybacking on them. This allows the malware to misuse accessibility services, which are meant to assist users, but in this case, are hijacked to steal login information or even remotely control the device for malicious purposes.
How this malware can be dangerous
According to a report by BleepingComputer, researchers at mobile security company Promon have discovered this malware strain called Snowblind targeting Android devices. This malware leverages tactics to bypass existing security measures.
Snowblind specifically targets apps that handle sensitive user information. The malware exploits a security feature called “seccomp” that’s designed to protect users. Seccomp restricts the actions apps can take, preventing malicious activities.
The malware injects malicious code into the targeted app before its security checks can run. This allows Snowblind to install a filter within seccomp, essentially manipulating the system calls the app can make.
When the app tries to verify if it’s been tampered with (a security check), Snowblind’s filter intercepts this action and blocks it. This prevents the app from detecting Snowblind’s presence.
Snowblind further manipulates the system by altering the app’s attempts to access files. It redirects these attempts to an uninfected version of the app, effectively hiding its tampering from the security check.
What this means for users
Snowblind’s use of a security feature makes it a particularly dangerous threat. The targeted nature of its attack also minimises its impact on device performance, further reducing the chances of users noticing anything unusual. This underlines the importance of staying vigilant and relying on reputable security solutions to protect your mobile devices.
