How Malware Exploits Your Mobile Devices
By: Donovan Tan, Cybersecurity Researcher
According to research by Check Point, the number of cyberattacks targeting mobile devices has increased by 50% in the first half of 2019 as compared to the previous year, with a notable rise in the number of Android-related malware attacks.[1] So far in the four-part series, we discussed the different types of mobile malware (Part 1) and the delivery and installation (Part 2) phases of their lifecycle. Today, we will talk about the final phase — Malware Exploitation.
So, what exactly can mobile malware do to your devices? We will look at two common malware exploitations:
- Stealing personal information
- Overlay attacks
Personally Identifiable Information (PII) & Data Exfiltration
PII and data exfiltration is the main capability of spyware, but are also commonly utilized by other types of malware. PII, as the name suggests, refers to any information that identifies an individual. It includes both sensitive information such as credit card details, medical histories, and national identity numbers (NRIC, Social Security, etc.), and non-sensitive information such as gender or date of birth.
A common method to obtain PII from victims in Android would be through abuse of the platform’s Accessibility Services API. This API was intended to help developers create disability-friendly applications using accessibility features and services that run in the background. Among the available features are retrieving texts from other applications. This allows attackers to carry out malicious activities such as intercepting WhatsApp messages.
Another method of obtaining PII would be through recording a user’s screen using Android’s MediaProjection API. Due to visual feedback when a user types on the on-screen keyboard, bad actors could easily obtain the victim’s PIN and password by watching recordings of the user keying in their PIN or password.
Overlay Attacks
Overlay attacks are a common exploit where threat actors create screen overlays above legitimate applications to trick the user into carrying out certain actions. These actions include clicking buttons or entering credentials. Screen overlaying can be likened to a ‘draw-on-top’ feature, which allows certain applications to ‘draw’ over other applications. An example of a widely used screen overlay would be Facebook Messenger’s chat heads.
Overlay attacks are commonly utilized by banking trojans as observed in Anubis and Bian Lian; trojans that attempt to gain access to victims’ bank accounts. In such cases, threat actors generate and display a bogus credential harvesting page on top of a legitimate application.
A banking trojan overlay attack at work is demonstrated in the above GIF. When the victim opens the legitimate PayPal application and clicks on ‘Log in’, what seems like a PayPal login page is displayed. However, upon closer inspection, the login page shown is actually a phishing page displayed as a screen overlay, with the intention to capture the user’s credentials.
In every campaign using such overlay attacks, threat actors will firstly determine their target organizations and applications. Thereafter, they will create the phishing pages for each target individually to ensure the overlay seems believable. The next question would be how then does the malware know which phishing overlay to show? As explained here (https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/), malware writers constantly retrieve the list of running processes and application packages, and compares newly started processes to the names of their target apps. Once a match is found, the malware will instantly create an overlay with the corresponding phishing page it retrieves from the C2.
[1] https://www.zdnet.com/article/mobile-malware-attacks-are-booming-in-2019-these-are-the-most-common-threats/
Interested to join Uppsala Security in security discussions? Speak to us here: https://forum.sentinelprotocol.io
