Technology, Top News

Android malware hides from security boffins using motion sensor data

MALWARE IS GETTING worryingly smart, as seen with some malicious Android apps that can monitor motion sensor data on an infected device to make sure it doesn’t end up under the scrutiny of researchers using emulators.

Boffins from security firm Trend Micro found that a pair of malicious apps masquerading as useful tools – Currency Converter and BatterySaverMobi – used the motion tracking technique to evade security researchers and then drop a malicious payload onto an infected device in the form of the Anubis banking malware.

The motion sensing malware tech hides from boffins by only working on devices that produce motion sensor data and therefore is a legit smartphone and not an emulator used by security researchers to hunt for new malware.

“These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities,” Trend Micro explained.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.

“The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.”

Once the malicious app is up and running it then tricks users into effectively installing the Anubis malware, or another malware loaded Android application package (APK) by serving up a fake system update screen.

And while it does this is also uses another eversion technique that’s best left to Trend Micro to explain:

“One of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter webpage requests. The bank malware dropper will request Telegram or Twitter after it trusts the running device,” said Trend Micro.

“By parsing the response’s HTML content, it gets the C&C server ( Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background. It will try and trick users into installing it with the fake system update.”

All this shows, somewhat worryingly, how Android malware is getting more sophisticated and that people looking to download new apps need to be pretty cautious, especially if that… ermm… ‘free nude celeb pics’ app looks too good to be true. µ

Further reading

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend