Cyber Security News

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of malware, with code obfuscation standing out as a deceptive technique. 

This method intentionally distorts code elements, rendering them inscrutable to the untrained eye, impeding analysis and complicating the decompilation process.

Symantec’s recent investigation unravels a Spyware cluster employing ingenious techniques to elude static analysis. 

Resource camouflage emerges as a stealthy strategy, where mobile applications strategically place concealed resources within APK files, mirroring the names and permissions of vital resources. 

This confounding tactic challenges analysis tools and complicates the extraction process.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Adding Layers of Obfuscation

Another method involves employing unsupported compression methods in APK files, disrupting third-party libraries, and intensifying the complexity of analysis. 

This compression trickery adds an extra layer of obfuscation, heightening the challenge for security analysts.

Intriguingly, the Spyware cluster utilizes “no compression” data to evade signature scheme verification, exploiting Android’s flexibility in supporting both compression methods. 

By introducing unsupported compression entry codes, these spywares navigate through the Android security infrastructure, avoiding detection through signature schemes.

Resource obfuscation disrupts reverse engineering tools by introducing invalid attributes and illegal resource IDs in AndroidManifest.xml and resources.arsc files. 

Tools like Apktool, Jadx, and JEB encounter challenges when faced with obfuscated elements, underscoring the cunning employed by this spyware.

Unmasking App Behaviors: A Multifaceted Deception

The Spyware cluster adopts a multifaceted scheme, disguising itself as popular games, apps, and even system-level applications. 

Once installed, these deceptive apps seek accessibility permissions, facilitating the monitoring and reporting of user activities to a designated server.

Automated permission granting

The C&C sections of these spywares introduce noise, including junk code and irrelevant strings, into essential methods. 

This obfuscation aims to disrupt static analysis tools, yet careful scrutiny reveals a specific format in the server’s responses, enabling command execution.

Employing anti-killing/uninstalling methods, the spyware safeguards itself by triggering actions like ‘HOME’ or ‘BACK’ when users attempt to terminate or uninstall the app. 

This proactive defense thwarts user intervention. The Spyware cluster underscores the dynamic nature of mobile threats, necessitating robust security measures. 

Users are urged to install security apps, avoid downloading from unfamiliar sources, keep software updated, scrutinize app permissions, and maintain frequent backups as essential safeguards in this ever-evolving landscape.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

How to Track Advanced Persistent Threats (APT) Using Threat Intelligence Lookup Tool

An Advanced Persistent Threat (APT) is a sophisticated and stealthy cyberattack designed to gain unauthorized,…

44 minutes ago

Researchers Hacked into Software Supply Chain and Earned $50K Bounty

Researchers found a significant software supply chain vulnerability, which resulted in an outstanding $50,500 bounty…

3 hours ago

ZeroLogon Ransomware Exploit Active Directory Vulnerability To Gain Domain Controller Access

A significant threat has emerged in the form of the ZeroLogon ransomware exploit. This exploit…

3 hours ago

zkLend Hacked – $8.5M Stolen, Company offers 10% whitehat Bounty to Attacker

zkLend, a prominent decentralized finance (DeFi) protocol built on Ethereum's Layer-2 zk-rollup technology, has fallen…

4 hours ago

New YouTube Bug Exploited to Leak Users’ Email Addresses

A critical vulnerability in YouTube’s infrastructure allowed attackers to expose the email addresses tied to…

4 hours ago

Mirai Botnet Exploting Router Vulnerabilities to Gain Complete Device Control

A new wave of cyberattacks has surfaced, with a Mirai-based botnet exploiting a number of…

4 hours ago