In a recent discovery, a new Android banking trojan known as Snowblind has emerged, utilizing the Linux kernel feature seccomp in an unprecedented manner. Seccomp is a traditional tool used for security purposes, which normally installs a seccomp filter to intercept system calls and bypass anti-tampering mechanisms in apps, even those equipped with strong obfuscation and integrity checks.
This innovative approach enables the malware to steal login credentials, bypass 2FA, and exfiltrate data, posing a significant threat due to its versatility and potential to be utilized in various ways to compromise apps. Unlike previous Android malware that typically exploits accessibility services to steal user input or control applications, Snowblind takes a different route by leveraging seccomp to circumvent security measures.
Snowblind’s operation involves injecting a native library with a seccomp filter before the app’s anti-tampering code executes, thereby redirecting system calls to evade detection. This technique allows malicious accessibility services to operate undetected, presenting a serious challenge for app developers and users alike.
Seccomp, as a Linux kernel functionality, serves as a sandboxing mechanism to reduce attack surfaces by enabling user processes to define policies for system calls. Initially introduced with two modes – strict mode and seccomp-bpf – it provides granular control over system calls through Berkeley Packet Filters.
While seccomp was previously fragmented across device manufacturers’ custom kernels, its integration into Android 8 (Oreo) by Google has facilitated broader adoption. The incorporation of seccomp in Zygote to restrict apps’ system calls and the addition of tests in the Compatibility Test Suite (CTS) indicate that seccomp-bpf is likely available on most devices running Android 8 and later versions.
To implement seccomp-bpf, developers define a Berkeley Packet Filter (BPF) program specifying allowed system calls based on parameters such as system call number, arguments, or calling process. This program is then applied to the process using the prctl() system call, granting control over system call permissions.
According to security experts at Promon, the prctl() system call with the PR_SET_SECCOMP option enables the installation of a seccomp filter for process, dictating permitted system calls based on the defined BPF program. When a process attempts a system call, the kernel consults the filter, permitting or denying the call accordingly.
In response to the emergence of sophisticated threats like Snowblind, app developers have resorted to countermeasures such as implementing custom system calls and obfuscation. However, Snowblind’s ability to install a seccomp filter that allows all system calls except open() poses a significant challenge. By triggering a SIGSYS signal when the anti-tampering library attempts to open a file, Snowblind effectively bypasses security checks by injecting the original app’s file path into the system call.
As the cybersecurity landscape continues to evolve, staying informed about emerging threats like Snowblind is crucial. By following cybersecurity news sources on platforms like Linkedin and X, individuals can stay updated on the latest developments and protect themselves from potential risks.