HomeCyber BalkansSnowblind exploits Android Seccomp Sandbox to evade security measures

Snowblind exploits Android Seccomp Sandbox to evade security measures

Published on

spot_img

In a recent discovery, a new Android banking trojan known as Snowblind has emerged, utilizing the Linux kernel feature seccomp in an unprecedented manner. Seccomp is a traditional tool used for security purposes, which normally installs a seccomp filter to intercept system calls and bypass anti-tampering mechanisms in apps, even those equipped with strong obfuscation and integrity checks.

This innovative approach enables the malware to steal login credentials, bypass 2FA, and exfiltrate data, posing a significant threat due to its versatility and potential to be utilized in various ways to compromise apps. Unlike previous Android malware that typically exploits accessibility services to steal user input or control applications, Snowblind takes a different route by leveraging seccomp to circumvent security measures.

Snowblind’s operation involves injecting a native library with a seccomp filter before the app’s anti-tampering code executes, thereby redirecting system calls to evade detection. This technique allows malicious accessibility services to operate undetected, presenting a serious challenge for app developers and users alike.

Seccomp, as a Linux kernel functionality, serves as a sandboxing mechanism to reduce attack surfaces by enabling user processes to define policies for system calls. Initially introduced with two modes – strict mode and seccomp-bpf – it provides granular control over system calls through Berkeley Packet Filters.

While seccomp was previously fragmented across device manufacturers’ custom kernels, its integration into Android 8 (Oreo) by Google has facilitated broader adoption. The incorporation of seccomp in Zygote to restrict apps’ system calls and the addition of tests in the Compatibility Test Suite (CTS) indicate that seccomp-bpf is likely available on most devices running Android 8 and later versions.

To implement seccomp-bpf, developers define a Berkeley Packet Filter (BPF) program specifying allowed system calls based on parameters such as system call number, arguments, or calling process. This program is then applied to the process using the prctl() system call, granting control over system call permissions.

According to security experts at Promon, the prctl() system call with the PR_SET_SECCOMP option enables the installation of a seccomp filter for process, dictating permitted system calls based on the defined BPF program. When a process attempts a system call, the kernel consults the filter, permitting or denying the call accordingly.

In response to the emergence of sophisticated threats like Snowblind, app developers have resorted to countermeasures such as implementing custom system calls and obfuscation. However, Snowblind’s ability to install a seccomp filter that allows all system calls except open() poses a significant challenge. By triggering a SIGSYS signal when the anti-tampering library attempts to open a file, Snowblind effectively bypasses security checks by injecting the original app’s file path into the system call.

As the cybersecurity landscape continues to evolve, staying informed about emerging threats like Snowblind is crucial. By following cybersecurity news sources on platforms like Linkedin and X, individuals can stay updated on the latest developments and protect themselves from potential risks.

Source link

Latest articles

Cynomi’s Focus on Autonomous AI Agents for Security Teams

CEO David Primor Discusses the Impact of AI on Engineering Productivity Cynomi, a promising player...

Forescout Discovers AI-Powered Phishing Campaign Featuring Fake eCards

Emerging Threats: The Sophisticated SeasonalInvite Phishing Campaign Exposed by Forescout In an eye-opening revelation, new...

Microsoft Addresses 570 CVEs in Historic Patch Tuesday

Microsoft Releases Unprecedented Number of Security Updates In a significant move, Microsoft has announced the...

Malware Attacks Japan’s Leading Taxi Company Nihon Kotsu

Japan's leading taxi service provider, Nihon Kotsu, recently faced a significant cybersecurity incident that...

More like this

Cynomi’s Focus on Autonomous AI Agents for Security Teams

CEO David Primor Discusses the Impact of AI on Engineering Productivity Cynomi, a promising player...

Forescout Discovers AI-Powered Phishing Campaign Featuring Fake eCards

Emerging Threats: The Sophisticated SeasonalInvite Phishing Campaign Exposed by Forescout In an eye-opening revelation, new...

Microsoft Addresses 570 CVEs in Historic Patch Tuesday

Microsoft Releases Unprecedented Number of Security Updates In a significant move, Microsoft has announced the...