New versions Bankosy and Cepsohord use two methods bypass the security mechanisms of the latest versions of Android.
A key role in mobile banking Trojans played the ability to determine which application is currently running on the device. Having identified the program, it displays the corresponding malware phishing page vymanivaya the victim’s bank card data. With the release of Android 5.0 Lollipop and Android 6.0 Marshmallow, Google refused getRunningTasks () API, which allows to determine the open applications, and banking trojans like Bankosy proved futile.
According to Symantec experts, despite the efforts Google to enhance security of its operating systems, hackers are not lagging behind and continue to improve malware. According to the researchers, the new variants of banking Trojans and Bankosy Cepsohord use two ways to bypass the security mechanisms of the latest versions of Android. One of them is to receive a special permit from the user, but the second does not require any additional permits.
The first method allows you to define a running task by using presented in Android 5.0 UsageStatsManager application programming interface. With this API, malware receives statistics about running applications in the last two seconds and calculates the most recent activity.
To use UsageStatsManager malware prompts the user access to the system level “android.permission.PACKAGE_USAGE_STATS”. As the permit can only be obtained through the “Settings” app, the Trojan uses social engineering in order to force the user to grant access. The malware is requesting permission, by displaying an icon and the name of the Chrome browser.