New Android Spyware Employs Tactics to Deceive Malware Analyst


In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of malware, with code obfuscation standing out as a deceptive technique. 

This method intentionally distorts code elements, rendering them inscrutable to the untrained eye, impeding analysis and complicating the decompilation process.

Symantec’s recent investigation unravels a Spyware cluster employing ingenious techniques to elude static analysis. 

Resource camouflage emerges as a stealthy strategy, where mobile applications strategically place concealed resources within APK files, mirroring the names and permissions of vital resources. 

This confounding tactic challenges analysis tools and complicates the extraction process.

Document

Protect Your Storage With SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.


Adding Layers of Obfuscation

Another method involves employing unsupported compression methods in APK files, disrupting third-party libraries, and intensifying the complexity of analysis. 

This compression trickery adds an extra layer of obfuscation, heightening the challenge for security analysts.

Intriguingly, the Spyware cluster utilizes “no compression” data to evade signature scheme verification, exploiting Android’s flexibility in supporting both compression methods. 

By introducing unsupported compression entry codes, these spywares navigate through the Android security infrastructure, avoiding detection through signature schemes.

Resource obfuscation disrupts reverse engineering tools by introducing invalid attributes and illegal resource IDs in AndroidManifest.xml and resources.arsc files. 

Tools like Apktool, Jadx, and JEB encounter challenges when faced with obfuscated elements, underscoring the cunning employed by this spyware.

Unmasking App Behaviors: A Multifaceted Deception

The Spyware cluster adopts a multifaceted scheme, disguising itself as popular games, apps, and even system-level applications. 

Once installed, these deceptive apps seek accessibility permissions, facilitating the monitoring and reporting of user activities to a designated server.

Automated permission granting
Automated permission granting

The C&C sections of these spywares introduce noise, including junk code and irrelevant strings, into essential methods. 

This obfuscation aims to disrupt static analysis tools, yet careful scrutiny reveals a specific format in the server’s responses, enabling command execution.

Employing anti-killing/uninstalling methods, the spyware safeguards itself by triggering actions like ‘HOME’ or ‘BACK’ when users attempt to terminate or uninstall the app. 

This proactive defense thwarts user intervention. The Spyware cluster underscores the dynamic nature of mobile threats, necessitating robust security measures. 

Users are urged to install security apps, avoid downloading from unfamiliar sources, keep software updated, scrutinize app permissions, and maintain frequent backups as essential safeguards in this ever-evolving landscape.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.



Source link