ESET researchers detect a new
trick used by malware to slip into
the official Android app store
Lukas Stefanko, Malware
Researcher at ESET
intelligent MOBILE SECURITY
SET researchers discovered
E
an extremely stealthy – yet
surprisingly simple – technique
that allowed Android malware to
stay under the radar. Analysing the
DEFENSOR ID app that was – at the
time – available on the official Android
app store, ESET researchers learned the
app misused accessibility services but
required no other suspicious permission
nor had any other malicious functionality.
“The accessibility services feature is
long known to be the Achilles’ heel
of the Android operating system, and
security solutions have been tuned to
detect various combinations of misuse
of this weak spot with other indicators
of malicious behavior,” said Lukáš
Štefanko, the ESET Malware Researcher
who conducted the analysis into
DEFENSOR ID.
Faced with malware that displayed no
additional functionality nor suspicious
permissions on top of accessibility
services, all known security mechanisms
failed to trigger any alarm. As a result,
DEFENSOR ID made it onto the Google
Play store, stayed there for a few
months and was never detected by
any security vendor participating in the
VirusTotal programme.
“This has been a valuable lesson for
us. Based on what we’ve learned about
DEFENSOR ID, we’ve fine-tuned our
detection technologies to also cover
malware with such a uniquely low
detection cross-section,” said Štefanko.
Apart from being extremely stealthy,
DEFENSOR ID is capable of inflicting
serious harm on its victims. It belongs
to the banking trojans malware category
and is exceptionally insidious: once
installed, it needs its victim to take only
one action to fully unleash its power.
“Once the user activates accessibility
services, DEFENSOR ID can pave the
way for the attacker to clean out the
victim’s bank account or cryptocurrency
wallet and take over their email or social
media accounts, among other malicious
actions,” commented Štefanko.
Following ESET’s notice, Google removed
DEFENSOR ID from the official Android
app store. “We decided to publish the
results of our investigation into this
malware to help defenders cope with ultralow
cross-section Android malware. The
creators of such malware are definitely
going to face hardened protections
around both Google Play and the users’
devices,” concluded ESET’s Štefanko. u
58 Issue 27 |
www.intelligentciso.com