Friday, June 3, 2016

Banker Trojans have learned to circumvent the protection of Android 6.0 – securitylab

New versions Bankosy and Cepsohord use two methods bypass the security mechanisms of the latest versions of Android.

 A key role in mobile banking Trojans played the ability to determine which application is currently running on the device. Having identified the program, it displays the corresponding malware phishing page vymanivaya the victim’s bank card data. With the release of Android 5.0 Lollipop and Android 6.0 Marshmallow, Google refused getRunningTasks () API, which allows to determine the open applications, and banking trojans like Bankosy proved futile.

 According to Symantec experts, despite the efforts Google to enhance security of its operating systems, hackers are not lagging behind and continue to improve malware. According to the researchers, the new variants of banking Trojans and Bankosy Cepsohord use two ways to bypass the security mechanisms of the latest versions of Android. One of them is to receive a special permit from the user, but the second does not require any additional permits.

 The first method allows you to define a running task by using presented in Android 5.0 UsageStatsManager application programming interface. With this API, malware receives statistics about running applications in the last two seconds and calculates the most recent activity.

 To use UsageStatsManager malware prompts the user access to the system level “android.permission.PACKAGE_USAGE_STATS”. As the permit can only be obtained through the “Settings” app, the Trojan uses social engineering in order to force the user to grant access. The malware is requesting permission, by displaying an icon and the name of the Chrome browser.

The second way is to use published on GitHub popular project with source code to determine the open applications on the device. By itself it is not malicious, but cybercriminals use it for criminal purposes. The project allows to read the data of the file system “/ proc /” for the calculation of the running processes and the definition of an open application. According to Symantec experts, this method will not work with the release of the next version of the operating system from Google, known as Android N.

No comments:

Post a Comment