Researchers from ThreatFabric, a security firm based in Amsterdam, have discovered that mobile malware developers are exploiting a bug in the Google Android platform to insert malicious code into mobile apps undetected. This bug allows the malware to evade security scanning tools, making it difficult to identify and remove. In response to this research, Google has updated its app malware detection mechanisms.
The bug involves an obfuscation method that corrupts components of an app, causing popular mobile security scanning tools to ignore the malicious code while the app itself is accepted as valid by the Android OS and successfully installed. Aleksandr Eremin, a senior malware analyst at ThreatFabric, explained that the malware patches the .apk file, the app installation file, enabling it to carry out malicious actions undetected. However, tools designed to unpack and decompile apps are unable to process the code.
This obfuscation method has been observed by ThreatFabric in the past but has become more widespread since April 2023. The increase in its use has been attributed to a semi-automated malware-as-a-service offering in the cybercrime underground. This service obfuscates or “crypts” malicious mobile apps for a fee, making them difficult to detect and analyze.
Google classified the bug as a “high” severity issue, and the researchers were awarded a $5,000 bug bounty, signaling the significance of their findings. Google released a statement acknowledging the issue and stating that it did not impact the Android Open Source Project (AOSP). However, it did lead to updates in the company’s malware detection mechanisms to prevent abuse of the bug.
The bug also affects some of the tools provided by Google to developers, including APK Analyzer, which fails to parse malicious applications correctly. As a result, these applications can still be installed on user devices. Google has indicated that it is investigating possible fixes for developer tools and plans to update its documentation accordingly.
ThreatFabric has identified several signs that app analyzers can look for to detect malicious apps exploiting this bug. For example, modified apps have Android Manifest files with newer timestamps than other files in the software package. Additionally, the Manifest file itself is altered so that the number of “strings” specified does not match the actual number of strings in the software’s code.
One of the mobile malware families known to abuse this obfuscation method is called Anatsa, a sophisticated Android-based banking trojan. It often disguises itself as a harmless file management application. Anatsa is frequently distributed through the Google Play Store using malware campaigns. ThreatFabric estimates that the creators of Anatsa have infected more than 30,000 devices through these campaigns.
Google has faced criticism in recent months for its failure to proactively police the Play Store for malicious apps. There have been instances where legitimate applications turned malicious after gaining a large user base. Google’s response to such incidents has been limited to removing the malware and expressing gratitude to the researchers who discovered it. However, the company has not addressed why its own researchers and automated scanning processes failed to detect the malicious apps in the first place.
Despite these concerns, there have been some positive developments. Google introduced a preventive measure in Android versions 11 and higher called “app hibernation.” This feature puts dormant apps into a hibernation state, revoking their previously granted runtime permissions. It is a step towards improving app security and preventing malware from accessing sensitive information.
In conclusion, ThreatFabric’s research highlights the exploitation of a bug in the Android OS that allows mobile malware to go undetected. Google has responded by updating its malware detection mechanisms and investigating potential fixes for the developer tools affected by the bug. It is essential for app analyzers to be aware of the signs of this obfuscation method to detect and remove malicious apps effectively.