- Denise Giusto Bilić
Tricks that cybercriminals use to hide in your phone
Malware in the official Google store never stops appearing. For cybercriminals, sneaking their malicious applications into the marketplace of genuine apps is a huge victory.
While analysts figure out new methodologies for analyzing malware and users begin to understand how all this works, cybercriminals are seeking new ways to hide in phones and compromise devices.
The convoluted tricks used to increase the effectiveness of their attacks can be grouped into two distinct categories: First, Social Engineering strategies that seek to confuse users; and second, sophisticated technical mechanisms that try to obstruct malware detection and analysis.
This article summarizes some of the common behaviors of malicious Android code over the last few years and how to identify and stop them
Deceit based on Social Engineering
Use fraudulent accounts in the Play Store to distribute malware
Malware in the official Google store never stops appearing. For cybercriminals, sneaking their malicious applications into the marketplace of genuine apps is a huge victory, as they can reach many more potential victims, thus having an almost rock-solid guarantee of more infections.
What’s more, the fake developer accounts used to spread insecure or malicious apps try to look as similar as possible to real accounts, in order to dupe unsuspecting users who end up getting confused by them. In a recent example of this, researchers discovered a fake app for updating WhatsApp that used a Unicode character trick to give the impression of being distributed through the official account.
Take advantage of commemorative dates and scheduled app release dates
A common practice in the world of cybercrime is to make malware look like versions of apps – games, mostly – that have gained sudden popularity, which are either scheduled for release or are not available in official stores for certain countries. This happened with Pokémon GO, Prisma and Dubsmash, adding hundreds of thousands of infections worldwide.
Tapjacking and overlay windows
Tapjacking is a technique that involves capturing a user’s screen taps by displaying two superimposed apps. So victims believe that they are tapping on the app that they are seeing, but they are actually tapping on the underlying app, which remains hidden from view.
Another similar strategy, which is widely used in spyware for credential theft in Android, is overlay windows. In this scam, the malware continually tracks the app that the user is using, and when it coincides with a certain objective app, it displays its own dialog box that looks just like the legitimate app, requesting credentials from the user.
Camouflaged among system apps
By far, the easiest way for malicious code to hide on a device is to pass itself off as a system app and go as unnoticed as possible. Malpractices such as deleting the app icon once the installation is finished or using names, packages and icons of system apps and other popular apps to compromise a device are strategies that are emerging in code like this banking Trojan that passed itself off as Adobe Flash Player to steal credentials.
Simulating system and security apps to request administrator permissions
Since Android is structured to limit app permissions, a lot of malicious code needs to request administrator permissions to implement its functionality correctly. And granting this permission makes it more difficult to uninstall the malware.
Being camouflaged as security tools or system updates gives cybercriminals certain advantages. In particular, it allows them to shield themselves behind a trusted developer, and consequently users do not hesitate to authorize the app to access administrative functions.
Security certificates that simulate true data
The security certificate used to sign an APK can also be used to determine if an app has been altered. And while most cybercriminals use generic text strings when issuing a certificate, many go to the trouble of feigning data that correspond to the data used by the developer, going one step further in their efforts to confuse users who carry out these checks.
Techniques for complicating analysis
Multiple functionalities in the same code
A trend that has been gaining ground in recent years in the mobile world is to combine what used to be different types of malware into a single executable. LokiBot is one example of this, which is a banking Trojan that tries to go unnoticed for as long as possible in order to steal information from a device; however, if the user tries to remove the administrator’s permissions to uninstall it, it activates its ransomware feature by encrypting the device’s files.
The use of droppers and downloaders, i.e., embedding malicious code inside another APK or downloading it from the internet, is a strategy that is not only limited to malware for laptops and computers, but is also universally used by malicious mobile code writers.
As the then-known Google Bouncer (now rebranded as Google Play Protect) complicated cybercriminals’ ability to upload malware to the official store, the attackers chose to include this type of behavior to try to bypass controls … and it worked! Well, for a while at least!
Since then, these two forms of malware coding have been added to the portfolio of most-used malicious techniques.
The use of advanced mobile security application from trusted source is important in identifying and halting the activities of cybercrimanls in your phones. you can learn more on trusted mobile security application here