{"id":4187,"date":"2024-06-26T08:00:00","date_gmt":"2024-06-26T13:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/remote-workforce\/snowblind-tampering-technique-may-drive-android-users-adrift"},"modified":"2024-06-26T08:00:00","modified_gmt":"2024-06-26T13:00:00","slug":"snowblind-tampering-technique-may-drive-android-users-adrift","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/06\/26\/snowblind-tampering-technique-may-drive-android-users-adrift\/","title":{"rendered":"‘Snowblind’ Tampering Technique May Drive Android Users Adrift"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Hackers from Southeast Asia have turned Android’s own best application security mechanism against itself, severing the link between kernel and application in order to perform any kind of tampering they wish.<\/span><\/p>\n

This method is being employed by new malware called “Snowblind,” which targets at least one banking app in Southeast Asia. Snowblind works by abusing the ubiquitous and otherwise sterling Linux security feature “seccomp” \u2014 short for “secure computing” \u2014 in order to trap and modify system calls in transit, in effect isolating an application from the protocols and information it needs to detect malicious tampering.<\/span><\/p>\n

“In security, nothing is bulletproof,” says Jan Vidar Krey, vice president of engineering at Promon, lamenting the weaponization of such a core Android security feature. “Everything can be circumvented to some extent, which is a harsh, brutal way of looking at it, but that’s the reality.”<\/span><\/p>\n

The Android Anti-Tampering Cat & Mouse Game<\/h2>\n

As Promon describes in <\/span>its report on Snowblind<\/a><\/span>, the most common way hackers undermine Android devices is by tricking users into <\/span>granting them accessibility permissions<\/a><\/span>, which they can use to various malicious ends.<\/span><\/p>\n

Because this is so common, though, experienced developers already know how to account for it. For example, apps can query the operating system to check for untrusted accessibility services, and then react accordingly, as Promon discusses in its report.<\/span><\/p>\n

Attackers, for their part, can try to identify and sabotage the parts of an app’s code that do that job by “<\/span>repackaging<\/a><\/span>” them \u2014 downloading, modifying, and re-uploading malicious versions of legitimate apps.<\/span><\/p>\n

To prevent repackaging, developers can be proactive by protecting their code with obfuscation, or they can be reactive by opening an app’s Android package (APK) file on disk and reviewing its contents.<\/span><\/p>\n

Attackers have their own methods for concealing their malicious repackaging, though. For example, they can hook into that anti-tampering file reading process and redirect it to an unmodified version of the same app. But developers know about and can account for that as well by implementing the necessary system calls in native libraries rather than the C standard library.<\/span><\/p>\n

So at this point, forced into a corner, attackers needed a new way of preventing secured apps from detecting their tampering.<\/span><\/p>\n

Snowblind’s Anti- Anti-Tampering<\/h2>\n

Snowblind \u2014 the next evolution in this grand game \u2014 tries something new. It puts its focus not on accessibility services per se, or the app’s code, but the seccomp security feature in between.<\/span><\/p>\n

“This seccomp mechanism is the foundation of everything that you’re seeing in the cloud today,” Krey notes. In addition to Android \u2014 since version 8.0 Oreo \u2014 it’s used by containerization technologies like Docker (by default) and Kubernetes, Chromium browsers, and more.<\/span><\/p>\n

It works by sandboxing applications, allowing or blocking calls they might make to the operating system as defined by a system administrator. But these days, Krey explains, “What we’re seeing with Android is that malware is using these same security tricks to prevent an application from seeing what’s actually going on on the rest of the system. And basically just showing it what the attacker wants it to see.”<\/span><\/p>\n

First, Snowblind repackages an app with a library that will be loaded before any anti-tampering mechanisms can run. This library includes a seccomp “filter,” which looks out for a very select few system calls \u2014 like “open()”, used for opening files or other resources \u2014 and traps them. Before allowing the call to be executed, it uses a signal handler to modify it, pointing it to a file that’s the original, unmodified version of the app.<\/span><\/p>\n