Android’s latest permission-granting model in version 6.0 Marshmallow is now been targeted by Mobile malware authors. The model will let users grant permissions only when it is required by the app, rather be accepting all on installation. Threats such as Android.Bankosy and Android.Cepsohord has already adopted this method in order to gain the permissions required by them to carry out malicious activities.
Prompting for permissions at runtime
In Mobile phones running on Android 6.0 Marshmallow, apps request permissions that could pose a privacy risk at runtime, as and when they’re are required, instead of prompting the user for all of them at installation time.
If the app malware author forcefully sets the “target_sdk” attribute of an app to 22 in place of 23 to avoid requesting permissions at runtime, a user then can grant all requested permission at the time of app’s installation, but the users can also manually revoke permissions from any app, irrespective of the “target_sdk” values on devices running Marshmallow.
Since Marshmallow’s market share is increasing and users are now learning to manually revoke permission. Authors of malware families such as Android.Bankosy and Android.Cepsohord has now started porting their code to handle the current Android runtime permission model.
Handling of Marshmallow’s new permission model by Bankosy and Cepsohord Malware.
Android.Bankosy is a well known Financial Trojan which partially works with the new model by checking whether a permission
is in a non-revoked state before execution of the malicious code. On the other hand, the Bankosy malware calls a special service
code (*21*[DESTINATION NUMBER]#) in order to enable unconditional call forwarding on the compromised device. This feature is needed by the attacker to help it conduct fraudulent transactions using the target’s information,
By using Marshmallow’s checkSelfPermission API the Bankosy’s authors updated the malware code to check whether the permission to call this number has been granted or not.
On the other hand, Click-fraud malware Cepsohord takes a step ahead and fully handles the new permission model. It not only checks the permission’s authorization state but also prompts the user to authorize the permission in case it is in a revoked state.
Future of Android Malware.
Previously seen android Threats has the capability to update themselves so that they can survive new security measure on Google’s mobile operation system. Also, it can do powerful social engineering, taking advantage of user lack of privacy awareness.
Symantec Engineer’s recommends users to Keep your software up to date, Refrain from downloading apps from unfamiliar sites, only install apps from trusted sources, Pay close attention to the permissions that apps request, Install a suitable mobile security app to protect your device and data, and Make frequent backups of important data stay protected from mobile threats.
Written by: Imdadullah Mohammed
Author Bio: Imdad is an Information Security Consultant, He is also a Moderator for Pune Chapter of Null – The open security community in India and Also member of Garage4hackers. A true open source and Information Security enthusiast. His core area of expertise includes Vulnerability Assessment and Penetration Testing of the Web application, Mobile application and Networks, as well as Server Hardening.
If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.
(Security Affairs – MEDHOST, hacking)