Intelligent CIO Middle East Issue 32 | Page 84

INTELLIGENT BRANDS // Mobile Technology
versions of apps – games , mostly – that have gained sudden popularity , which are either scheduled for release or are not available in official stores for certain countries
Tapjacking and overlay windows
Tapjacking is a technique that involves capturing a user ’ s screen taps by displaying two superimposed apps . Victims believe that they are tapping on the app that they are seeing , but they are actually tapping on the underlying app , which remains hidden from view . Another similar strategy , which is widely used in spyware for credential theft in Android , is overlay windows . In this scam , the malware continually tracks the app that the user is using and , when it coincides with a certain objective app , it displays its own dialogue box that looks just like the legitimate app , requesting credentials from the user .
Camouflaged among system apps
By far , the easiest way for malicious code to hide on a device is to pass itself off as a system app and go as unnoticed as possible . Malpractices such as deleting the app icon once the installation is finished or using names , packages and icons of system apps and other popular apps to compromise a device are strategies that are emerging in code , like the banking Trojan that passed itself off as Adobe Flash Player to steal credentials .
Simulating system and security apps to request administrator permissions
Since Android is structured to limit app permissions , a lot of malicious code needs to request administrator permissions to implement its functionality correctly . And granting this permission makes it more difficult to uninstall the malware . Being camouflaged as security tools or system updates gives cybercriminals certain advantages . In particular , it allows them to shield themselves behind a trusted developer and , consequently , users do not hesitate to authorise the app to access administrative functions .
Security certificates that simulate true data
The security certificate used to sign an APK ( Android Package Kit ) can also be used to determine if an app has been altered . And while most cybercriminals use generic text strings when issuing a certificate , many go to the trouble of feigning data that corresponds to the data used by the developer , going one step further in their efforts to confuse users who carry out these checks .
Multiple functionalities in the same code
A trend that has been gaining ground in recent years in the mobile world is to combine what used to be different types of malware into a single executable . LokiBot is one example of this , which is a banking Trojan that tries to go unnoticed for as long as possible in order to steal information from a device . However , if the user tries to remove the administrator ’ s permissions to uninstall it , it activates its ransomware feature by encrypting the device ’ s files .
Hidden apps
The use of droppers and downloaders , such as embedding malicious code inside another APK or downloading it from the Internet , is a strategy that is not only limited to malware for laptops and computers but is also universally used by malicious mobile code writers .
As the then-known Google Bouncer ( now rebranded as Google Play Protect ) complicated cybercriminals ’ ability to upload malware to the official store , the attackers chose to include this type of behaviour to try to bypass controls ; and it worked . Well , for a while at least .
Since then , these two forms of malware coding have been added to the portfolio of most-used malicious techniques .
Multiple programming languages and volatile code
New multiplatform development frameworks and new programming languages are emerging all the time . What better way to mislead a malware analyst than to combine languages and development environments , such as designing apps with Xamarin or using Lua code to execute malicious
Denise Giusto Bilić Security Researcher at ESET
commands . This strategy changes the final architecture of the executable and adds levels of complexity .
Some attackers add to this combo by using dynamic script loading or portions of code that are downloaded from remote servers and deleted after use . So once the server has been removed by the cybercriminal , it is not possible to know exactly what actions the code performed on the device .
Samples with these characteristics began to appear towards the end of 2014 , when researchers published this particularly complex malware analysis .
Synergistic malware
An alternative for complicating the analysis of a sample is to divide the malicious functionality into a set of apps that are capable of interacting with each other . By doing so , each app has a subset of permissions and malicious functionality and they then interact with each other to fulfil a further purpose .
Moreover , for analysts to understand the true function of the malware they must have access to all the individual apps as if they were pieces of a puzzle .
And while this is not a commonly-used strategy , there have already been samples that exhibit this type of behaviour . •
84 INTELLIGENTCIO www . intelligentcio . com