Snowblind appears to be one of the most advanced Android banking malware with novel anti-detection techniques. According to Promon, the malware manipulates a Linux kernel safety feature built into Android OS called “seccomp” (secure computing). The feature “controls what an app is allowed to do by limiting the system calls, or requests, an application can make from the operating system.”
Like most other malware, Snowblind relies on exploiting accessibility services to gain system-level access to an infected device and perform malicious activities without the user’s knowledge. However, since Android has security measures in place to detect malicious accessibility services, it modifies apps to prevent detection. It “performs a normal repackaging attack” with a lesser-known technique based on seccomp.
Promon says Snowblind’s technique abuses the seccomp functionality “to intercept and manipulate system calls,” which enables it to bypass security checks and anti-tampering mechanisms. This allows the attackers to stealthily execute malicious activities on the device. They can use other functions of the malware to steal login credentials for a banking app and make unauthorized transactions.
Disabling Security Features
To make their work easier, Snowblind can disable security features such as two-factor authentication (2FA) and biometric verification. It can also exfiltrate sensitive personally identifiable information and transaction data from the app. This data can be exploited later for fraudulent activities, including impersonation. Since Snowblind attacks the app itself, it is effective on all modern Android devices.
A New Threat Landscape
The security firm discovered that the Snowblind Android banking malware is currently designed to specifically target banking Android apps in Southeast Asia. However, the firm found its seccomp-based technique “more interesting than the malware itself,” so much so that threat actors may soon devise more types of exploits and attacks. To make the matter worse, it’s a new technique and most modern apps lack protection against it.
Promon says it has developed protective measures against Snowblind and other potential variants of seccomp-based attacks and malware strains. Version 6.5.2 or newer of its Promon SHIELD platform offers these protections. Developers can employ the solution to keep their apps safe.
For end users, these types of powerful banking malware are a reminder that we shouldn’t install apps from unknown sources. Never download files from shady websites or via forwarded links. Always visit the official website of a developer or an official app store to download apps.