INTELLIGENT BRANDS // Mobile Technology
versions of apps – games , mostly – that have gained sudden popularity , which are either scheduled for release or are not available in official stores for certain countries
Tapjacking and overlay windows
Tapjacking is a technique that involves capturing a user ’ s screen taps by displaying two superimposed apps . Victims believe that they are tapping on the app that they are seeing , but they are actually tapping on the underlying app , which remains hidden from view . Another similar strategy , which is widely used in spyware for credential theft in Android , is overlay windows . In this scam , the malware continually tracks the app that the user is using and , when it coincides with a certain objective app , it displays its own dialogue box that looks just like the legitimate app , requesting credentials from the user .
Camouflaged among system apps
By far , the easiest way for malicious code to hide on a device is to pass itself off as a system app and go as unnoticed as possible . Malpractices such as deleting the app icon once the installation is finished or using names , packages and icons of system apps and other popular apps to compromise a device are strategies that are emerging in code , like the banking Trojan that passed itself off as Adobe Flash Player to steal credentials .
Simulating system and security apps to request administrator permissions
Since Android is structured to limit app permissions , a lot of malicious code needs to request administrator permissions to implement its functionality correctly . And granting this permission makes it more difficult to uninstall the malware . Being camouflaged as security tools or system updates gives cybercriminals certain advantages . In particular , it allows them to shield themselves behind a trusted developer and , consequently , users do not hesitate to authorise the app to access administrative functions .
Security certificates that simulate true data
The security certificate used to sign an APK ( Android Package Kit ) can also be used to determine if an app has been altered . And while most cybercriminals use generic text strings when issuing a certificate , many go to the trouble of feigning data that corresponds to the data used by the developer , going one step further in their efforts to confuse users who carry out these checks .
TECHNIQUES FOR COMPLICATING ANALYSIS
Multiple functionalities in the same code
A trend that has been gaining ground in recent years in the mobile world is to combine what used to be different types of malware into a single executable . LokiBot is one example of this , which is a banking Trojan that tries to go unnoticed for as long as possible in order to steal information from a device . However , if the user tries to remove the administrator ’ s permissions to uninstall it , it activates its ransomware feature by encrypting the device ’ s files .
Hidden apps
The use of droppers and downloaders , such as embedding malicious code inside another APK or downloading it from the Internet , is a strategy that is not only limited to malware for laptops and computers but is also universally used by malicious mobile code writers .
As the then-known Google Bouncer ( now rebranded as Google Play Protect ) complicated cybercriminals ’ ability to upload malware to the official store , the attackers chose to include this type of behaviour to try to bypass controls ; and it worked . Well , for a while at least .
Since then , these two forms of malware coding have been added to the portfolio of most-used malicious techniques .
Multiple programming languages and volatile code
New multiplatform development frameworks and new programming languages are emerging all the time . What better way to mislead a malware analyst than to combine languages and development environments , such as designing apps with Xamarin or using Lua code to execute malicious
Denise Giusto Bilić Security Researcher at ESET
commands . This strategy changes the final architecture of the executable and adds levels of complexity .
Some attackers add to this combo by using dynamic script loading or portions of code that are downloaded from remote servers and deleted after use . So once the server has been removed by the cybercriminal , it is not possible to know exactly what actions the code performed on the device .
Samples with these characteristics began to appear towards the end of 2014 , when researchers published this particularly complex malware analysis .
Synergistic malware
An alternative for complicating the analysis of a sample is to divide the malicious functionality into a set of apps that are capable of interacting with each other . By doing so , each app has a subset of permissions and malicious functionality and they then interact with each other to fulfil a further purpose .
Moreover , for analysts to understand the true function of the malware they must have access to all the individual apps as if they were pieces of a puzzle .
And while this is not a commonly-used strategy , there have already been samples that exhibit this type of behaviour . •
84 INTELLIGENTCIO www . intelligentcio . com
INTELLIGENT BRANDS // Mobile Technology
versions of apps – games, mostly – that have
gained sudden popularity, which are either
scheduled for release or are not available in
official stores for certain countries
Tapjacking and overlay windows
Tapjacking is a technique that involves
capturing a user’s screen taps by displaying
two superimposed apps. Victims believe
that they are tapping on the app that they
are seeing, but they are actually tapping on
the underlying app, which remains hidden
from view. Another similar strategy, which is
widely used in spyware for credential theft
in Android, is overlay windows. In this scam,
the malware continually tracks the app that
the user is using and, when it coincides with
a certain objective app, it displays its own
dialogue box that looks just like the legitimate
app, requesting credentials from the user.
Camouflaged among system apps
By far, the easiest way for malicious code
to hide on a device is to pass itself off as a
system app and go as unnoticed as possible.
Malpractices such as deleting the app icon
once the installation is finished or using
names, packages and icons of system apps
and other popular apps to compromise a
device are strategies that are emerging in
code, like the banking Trojan that passed itself
off as Adobe Flash Player to steal credentials.
Simulating system and security apps
to request administrator permissions
Since Android is structured to limit app
permissions, a lot of malicious code needs
to request administrator permissions to
implement its functionality correctly. And
granting this permission makes it more
difficult to uninstall the malware. Being
camouflaged as security tools or system
updates gives cybercriminals certain
advantages. In particular, it allows them
to shield themselves behind a trusted
developer and, consequently, users do not
hesitate to authorise the app to access
administrative functions.
Security certificates that simulate
true data
The security certificate used to sign an APK
(Android Package Kit) can also be used to
84
INTELLIGENTCIO
determine if an app has been altered. And
while most cybercriminals use generic text
strings when issuing a certificate, many go to
the trouble of feigning data that corresponds
to the data used by the developer, going one
step further in their efforts to confuse users
who carry out these checks.
TECHNIQUES FOR
COMPLICATING ANALYSIS
Multiple functionalities in the
same code
A trend that has been gaining ground
in recent years in the mobile world is to
combine what used to be different types of
malware into a single executable. LokiBot
is one example of this, which is a banking
Trojan that tries to go unnoticed for as long
as possible in order to steal information from
a device. However, if the user tries to remove
the administrator’s permissions to uninstall
it, it activates its ransomware feature by
encrypting the device’s files.
Hidden apps
The use of droppers and downloaders, such
as e &VFFrƖ6W26FR6FRFW "FvFrBg&FRFW&WB27G&FVwFB2BǒƖ֗FVBFv&Rf F2B6WFW'2'WB26VfW'6ǐW6VB'Ɩ6W2&R6FRw&FW'22FRFVֶvvvR&V6W r&V'&FVB2vvR&FV7B6Ɩ6FVB7&W&7&֖>( &ƗGFW@v&RFFRff67F&RFRGF6W'066RF6VFRF2GRb&VfW"FG'F'726G&3BBv&VBvVf"vRBV7B66RFVFW6RGvf&2bv&P6FrfR&VVFFVBFFR'FfƖ`7BW6VBƖ6W2FV6VW2VFR&w&֖rwVvW0BfFR6FPWrVFFf&FWfVVBg&Wv&0BWr&w&֖rwVvW2&PVW&vrFRFRvB&WGFW"vF֗6VBv&RǗ7BFF6&PwVvW2BFWfVVBVf&VG27V62FW6vr2vF&"W6rV6FRFWV7WFRƖ6W0FV6RvW7F&ƜHr6V7W&G&W6V&6W"BU4U@6G2F27G&FVw6vW2FRf&6FV7GW&RbFRWV7WF&RBFG0WfV2b6WG6RGF6W'2FBFF26&'W6pG֖267&BFr"'F2b6FPFB&RFvFVBg&&VFR6W'fW'0BFVWFVBgFW"W6R66RFR6W'fW"0&VV&VfVB'FR7&W&7&֖B2@76&RFrW7FǒvB7F2FP6FRW&f&VBFRFWf6R6W2vFFW6R6&7FW&7F72&VvFV"Fv&G2FRVBb#BvV&W6V&6W'2V&Ɨ6VBF2'F7V&ǐ6Wv&RǗ627W&v7F2v&PFW&FfRf"6Ɩ6FrFRǗ60b6R2FFfFRFRƖ6W0gV7FƗGF6WBb2FB&P6&RbFW&7FrvFV6FW"'Fr6V627V'6WB`W&֗762BƖ6W2gV7FƗG@FWFVFW&7BvFV6FW"FgVfgW'FW"W'6R&VfW"f"Ǘ7G2FVFW'7FBFPG'VRgV7FbFRv&RFWW7BfP66W72FFRFfGV22bFWvW&RV6W2bWRBvRF22B6ǒW6V@7G&FVwFW&RfR&VG&VV6W0FBW&BF2GRb&VfW"wwrFVƖvVF66