Threat Intelligence, Application security

New Snowblind Android trojan examined

Share

Android apps are having their anti-tampering defenses evaded by the new Snowblind trojan through the exploitation of the Linux kernel security feature "seccomp" first adopted in Android 8, reports BleepingComputer.

Intrusions with Snowblind involved the injection of a seccomp filter to intercept system calls, as well as a SIGSYS signal handler to direct anti-tampering code to unchanged APK versions allowing the deactivation of several app security features and the exposure of sensitive information, including personally identifiable information and login credentials, according to a Promon report. While only one app has been targeted so far, other threat actors could leverage the malware to facilitate additional compromise, noted researchers. Such a threat was downplayed by Google, which noted that none of the apps on its Play Store were found to be compromised with Snowblind. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services," said a Google spokesperson.

New Snowblind Android trojan examined

Intrusions with Snowblind involved the injection of a seccomp filter to intercept system calls, as well as a SIGSYS signal handler to direct anti-tampering code to unchanged APK versions allowing the deactivation of several app security features.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.