Malwares Finds News Ways To Compromise Android Security
By Paul Liu
Monday, February 27th, 2017
Researchers working at security firm Symantec recently discovered that notorious Android malwares Android.Bankosy and Android.Cepsohord have found new ways to defeat the operating system’s built-in security features. These two threats are well-known among the Android community since they are often used by criminals to steal passwords or to compromise the security and performance of Smartphones and tablets. They were also in the news recently when security researchers stumbled upon the fact that the malwares had found a way to breach the permission security model used by Android Marshmallow.
Android malware writers are always looking for ways to get a list of tasks that are currently running in the foreground. The list not only allows them to access apps that are installed on the device, it even helps them to create phishing overlay “injections” that can be used to launch malicious campaigns. Earlier hackers used to exclusively rely on the getRunningTasks() process to get a list of active tasks but Google deprecated the process as well as its API in Android 5 and 6 (Lollipop and Marshmallow) after realizing the security pitfalls associated with it.
As per the details published by Symantec, the recent versions of Android.Bankosy and Android.Cepsohord were using details published in few open source GitHub projects to get a list of active running tasks. The research team came across two ways in which the malwares were able to bypass the operating system’s security features and extract the list of running tasks.
1) Reading /proc/ system file
The first technique relies on reading the /proc/ system file to get a list of current tasks. It was published by Jared Rummler on GitHub as a part of AndroidProcesses project. While Jared’s app is not dangerous in any way, hackers have managed to use its data for malicious activities. The worst part is that using the technique does not require any special permission. However, the good news is that the technique doesn’t work in version 7 of Android (also known as Android Nougat).
2) Using UsageStatsManager API
The second trick uses Jared’s technique as well as a method posted by GeeksOnSecurity to extract the list of current tasks. The method uses Android’s UsageStatsManager API to get a list of active processes. The API works by querying the usage statistics of all the apps that were active in the last couple of seconds. While UsageStatsManager requires special privileges, hackers were able to bypass it by disguising their app as Google Chrome browser. However, the method works only on Android devices manufactured by certain manufacturers.
The recent discovery by Symantec clearly shows that malware writers are continuously finding new ways to break Android’s security features. Symantec recommends keeping the Operating System up-to-date, downloading apps only from trusted sources, paying close attention to the permissions requested by the apps as well as installing a reliable security solution to keep Smartphones and tablets safe from such threats. Users are also advised to take backup of their important data so that their work and life doesn’t get compromised even if their Android device gets infected with these malwares.