Snowblind malware abuses Android security feature to bypass security

A new Android attack vector from malware tracked as Snowblind abuses a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data.

The goal of Snowblind is to repackage a target application to make it incapable of detecting abuse of accessibility services that allow it to obtain user input such as credentials, or gain remote access for execute malicious actions.

Unlike other Android malware, Snowblind abuses “seccomp”, short for Secure Computing, a Linux kernel feature that Android uses to verify the integrity of applications, to protect users from malicious actions such as application repackaging.

Abusing the Seccomp security feature

Mobile app security company Promon was able to analyze how Snowblind achieves its goal undetected after receiving a sample from i-Sprint, a partner providing access and identity system protections to businesses.

“This malware attacked the application of one of i-Sprint’s customers in Southeast Asia. Our analysis of Snowblind revealed that it uses a new technique to attack Android applications based on kernel functionality Linux. seccomp” -Promon

Seccomp is a Linux kernel security feature designed to reduce the attack surface of applications by limiting the system calls (system calls) they can make. It acts as a filter for system calls that an application is allowed to execute, blocking those that have been abused in attacks.

Google first integrated seccomp into Android 8 (Oreo), implementing it in the Zygote process, which is the parent process of all Android apps.

Snowblind targets applications that process sensitive data by injecting a native library that loads before anti-tampering code and installs a seccomp filter to intercept system calls such as the “open()” system call, commonly used in file access.

When the target app’s APK is checked for tampering, Snowblind’s seccomp The filter does not allow the call to continue and instead raises a SIGSYS signal indicating that the process sent a bad argument to the system call.

Snowblind also installs a signal handler for SIGSYS to inspect it and manipulate thread registers, the researchers explain in a report shared with BleepingComputer.

This way, the malware can modify the arguments of the “open()” system call to point the anti-tampering code to an unmodified version of the APK.

Due to the targeted nature of the seccomp filter, the performance impact and operational footprint are minimal, so the user is unlikely to notice anything during normal application operations.

Snowblind Operational Overview
Source: Promon

Attack scenarios

Promon says the technique seen in Snowblind attacks “does not appear to be well known” and researchers believe most applications do not protect against it.

In a video demonstrating how the attack works, researchers show that a Snowblind attack is completely invisible to the user and can leak login information.

Researchers told BleepingComputer that Snowblind can be used to disable various security features in apps, such as two-factor authentication or biometric verification.

An attacker could use this technique “to read sensitive information displayed on the screen, navigate the device or control applications, bypass security measures by automating interactions that would typically require user intervention, as well as ‘exfiltrate sensitive personal information and transaction data’.

Promon says Snowblind was observed targeting an i-Sprint customer’s application in Southeast Asia. However, it is unclear how many apps have been targeted so far. Additionally, this method could be adopted by other adversaries to bypass Android’s protections.

BleepingComputer has contacted Google for comment on the active abuse of seccomp to bypass Android protections, and a spokesperson responded with the following statement:

According to our current detection, no apps containing this malware are found on Google Play.
Android users are automatically protected against known versions of this malware by Google Play Protect, which is enabled by default on Android devices with Google Play Services.

The company spokesperson added that “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

News Source :
Gn tech

Back to top button