Snowblind malware uses an Android security feature to bypass security

A new banking malware named ‘Snowblind’ targets Android users to steal credentials and banking data. This malware exploits a built-in security feature to bypass anti-tamper protection in apps handling sensitive data.   

According to Promon, Snowblind operates by repackaging an app, rendering it unable to detect the accessibility features that can be used to extract sensitive information like login credentials and remote access to the app.    

However, Snowblind, like most Android malware, can bypass an essential security feature. It filters a feature named ‘second’’ which stands for ‘secure computing’’ This feature, part of the underlying Linux kernel and the Android operating system, checks apps for signs of tampering.  

The security firm noticed Snowblind injects a code piece that loads before Seccomp initializes the anti-tampering measures. This allows the malware to bypass security mechanisms and utilize accessibility services to efficiently and remotely view the victim’s screen.   

Abusing seccomp security feature  

Mobile app security company Promon investigated how Snowblind achieves its undetected goal after receiving a sample from i-sprint, a partner offering businesses access and identity system protections.   

Seccomp is a Linux Kerner security feature developed to reduce the attack surface of applications by restricting the system calls (Syscalls) they can make. It acts as a filter for the syscall, an app that enables it to run or block those that have been abused in attacks.