Security specialists have recently discovered a new form of malware known as “Snowblind.” This malware exploits Android’s ‘seccomp’ security feature to bypass anti-tampering measures in apps. This crafty malware gathers login data and takes control of the device undetected.
Snowblind” infiltrates a device through third-party app stores, skillfully disguising itself as a harmless part of the downloaded application. However, the malware’s truly troublesome capability lies in its ability to mimic ordinary app processes, making it difficult for antivirus software to detect.
The uniqueness of “Snowblind” is its utilization of ‘seccomp.’ Seccomp is a feature of the “Linux kernel security” that Android employs for integrity assessment. It prevents malicious activities, but Snowblind perverts its purpose, using it to evade detection while compromising device security.
Snowblind’s activities first came to light during a Promon investigation, a mobile app security company examining a sample from i-Sprint, an enterprise providing security for access and identity systems. The malware targeted one of i-Sprint’s Southeast Asia clients, specifically an app containing sensitive information.
This case highlights the need for digital businesses to continually update and enhance their security measures to counter advanced cyber threats. Traditional security measures proved ineffective against Snowblind, which transformed genuine apps into harmful ones through “repackaging,” allowing it to infiltrate the system undetected.
Seccomp, as a security feature, limits an application’s exposure to attacks and filters system calls.
Snowblind malware subverts Android security unseen
Implemented in Android 8 (Oreo), it offers proactive protection for systems, terminating applications when they make system calls not on the app’s permitted list. With every update, Android continues to improve Seccomp’s refined and robust security features.
Snowblind operates by selecting applications that deal with sensitive data and injecting a library that sets up a filter to intercept system calls. This interception allows it to manipulate data undetected, bypassing systems designed to protect sensitive information.
The malware modifies system call arguments, causing the anti-tampering code to refer to an unaltered app package version (APK). This subtle operation makes it difficult for anyone to notice abnormalities during normal app functions. So, its stealthy, sophisticated approach to cyber-attacks underscores the importance of continuous updates and robust security measures.
Despite preventive steps, they can’t eliminate the risk completely. Businesses and individuals must remain alert against such threats, consistently monitor their systems, and implement necessary preventative measures. Snowblind’s complex encoding and layered defense systems have raised red flags among the global cybersecurity community.
