This sneaky new Android malware can hide in plain sight – and it’s all thanks to virtualization
A sneaky new Android malware was recently discovered, using virtualization to avoid detection and make serious money for its operators.
It is called FjordPhantom and its goal is to steal money from people’s bank accounts. The malware was discovered by cybersecurity researchers Promon, who say it mostly targets users in Indonesia, Thailand, Vietnam, Singapore, and Malaysia.
FjordPhantom spreads via phishing emails, SMS messages, and chat apps.
Beating the Android Sandbox
The threat actors would impersonate a popular bank in the region and reach out to the victims in an attempt to get them to download an app. However, together with the legitimate app, the victims would get malicious code running in a virtual environment, allowing the operators to attack the real banking app.
The threat actors leveraged open-source projects to create virtual containers on the target endpoint, without the user’s knowledge or consent. When the user launches the downloaded APK, it runs the actual banking app in the same container with the malicious code, making malware part of the trusted process.
This is dangerous not only because victims might lose their data and money, but also because it breaks the “Android Sandbox” security concept, whose premise is that apps can’t access each other’s data.
Furthermore, as the banking app isn’t modified, code tampering detection doesn’t work, either. The malware is also capable of hampering root-related security checks, as well, the researchers said.
When it comes to the malware’s capabilities, it can perform on-device fraud and steal banking credentials. Promon says that one victim was able to lose $280,000, thanks to a mix of malware and social engineering (the threat actors impersonated the bank’s customer support).
The best way to protect against such threats is to use common sense and only download apps from trusted sources. Also, before downloading an app, make sure to check the number of downloads and reviews, as these could be good indicators of malware.
Via BleepingComputer
