In The Wild: Never a Dull Moment with Mobile Malware

Mobile malware learns fast. Every time new security measures come along, malware somehow manages to find a way to overcome them. This week we bring you such a story, with further details about Viking Horde, a botnet found by Check Point on Google Play. The malware is capable of bypassing even Android’s latest OS security mechanisms.

Meet the Vikings: Part III

The Check Point research team uncovered a new Android malware campaign on Google Play it calls Viking Horde. Viking Horde conducts ad fraud, but can also be a launchpad for attacks like DDoS, spam messages, and more. Viking Horde managed to bypass Google Play malware scans masquerading as five different apps so far.

The research team has uncovered another interesting feature introduced by Viking Horde. The malware developers found a way to bypass Android security in Marshmallow. In Marshmallow, Android permissions can be granted or revoked after the app is installed, making it hard for malware to be aware of the specific privileges it has at a given moment.

The Viking Horde developers have included logic to handle this difficulty, by querying the system about their self-permissions and having a predefined flow for any possible outcome, popping up a permission request in case it does not have them. Viking Horde performs this query for many permissions, including WRITE_EXTERNAL_STORAGE which it uses to drop the malicious payload.

Figure 1

Figure 1: Viking Horde checks self-permissions before dropping payload

FIgure 2

Figure 2: Viking Horde payload dropping control flow for rooted/non-rooted devices

Innovations of Banker Malware

A relatively new strain of malware called the Fanta SDK recently adopted a new method of operation. The malware originates in third-party app stores or malicious URLs and presents itself as the official Russian “Sberbank” app update. Once installed on a device, it requests admin privileges and displays a fake login page to steal the user’s credentials. After it achieves this goal, it continues to take money from the user’s account silently.

The interesting part about this banker is its focus on persistency. If the user revokes the malware’s device admin privileges, it immediately changes the device’s password and locks the device. Ironically, this is achieved by using an Android API that allows developers to show a text message before their permissions are revoked to warn the users of the consequences, in the malware’s case, it uses this method to run its malicious code.

The malware will then continue to steal the user’s money, while he has no access to the device to stop it. This is very similar to the techniques used by mobile ransomware. It is intriguing to see that the attackers prefer to stick to mobile banking malware instead of transforming their malware into ransomware, a transition we have witnessed in the PC world. Clearly, mobile bankers are still more profitable than mobile ransomware.

Poor Security Could Lead to Bankruptcy

Recently, a severe vulnerability was found in an Indian bank app. A security researcher analyzed the iOS version of the application and discovered to his surprise that it lacked basic security necessities. The app did not even use SSL pinning, which exposes the app to Man-in-The-Middle attacks even if the information is transferred over the secure HTTPS protocol. The combination of this flaw, together with two other loopholes in the app’s architecture, allowed the researcher to move all of the bank’s funds, estimated at $25 Billion, at his will.

This is only a reminder for how bad poorly developed apps can be. Apparently, Apple’s thorough review process did not detect these flaws. While in this case the bank’s funds were at risk, your private and business information could be in danger due to leaky apps. According to research conducted by Check Point of more than 1.5M different apps, nearly 43% of iOS and 46% of Android apps leak data. Leaking data can end up in the wrong hands, even if that wasn’t the app developers’ intention.

This week’s takeaways

Malware writers implement techniques used both by legitimate apps and by other malware, as seen in the Fanta SDK case. This is part of the evolution of malware, which adapts to bypass security measures and target users in the most efficient way. The often changes in the techniques used by malware require advanced solutions which are capable not only of tackling known malware but detect and block completely unknown malware.

Learn more:
Check Point Mobile Threat Prevention

See it in action:
Schedule a demo of Mobile Threat Prevention

Oren Koriat is a Mobile Information Security Analyst in the Check Point Mobile Threat Prevention Research Group. He is a technology enthusiast and a polyglot, whose expertise is in the field of Asian mobile software markets. Koriat holds a degree in linguistics from Bar Ilan University.