A dangerous new strain of malware has emerged, posing a severe threat to banking app users and leading to significant financial losses and fraud, cybersecurity experts have warned.
Promon, a provider of mobile app security solutions, has named the first-of-its-kind malware ‘Snowblind’. It makes use of a novel attack vector, exploiting functionalities in the Android operating system to bypass anti-tampering mechanisms.
According to Promon, cybercriminals are using the malware strain to target banking customers in Southeast Asia, causing significant financial losses for account holders in the region.
This news follows Promon’s discovery of FjordPhantom last year, another stealthy banking malware used by hackers to commit fraud in Indonesia, Thailand, Vietnam, Singapore, and Malaysia.
How Snowblind works
The kernel is the core part of an operating system that manages everything happening on a device, acting as a bridge between applications and hardware. Snowblind exploits the Linux kernel’s seccomp (secure computing) feature, which limits the system calls an app can make.
Most malware gains elevated privileges by exploiting Android’s accessibility services, designed to help users with disabilities by interacting with and modifying app interfaces. These services can be misused by malicious actors to read screen contents, input text, control apps, as well as bypass security measures.
Snowblind modifies apps to prevent them from detecting accessibility services, which would typically cause secure apps to shut down. It also uses seccomp to intercept and manipulate system calls, bypassing security checks and remaining undetected.
Snowblind installs a seccomp filter to trap specific system calls and uses a signal handler to modify these calls. This allows it to evade anti-tampering mechanisms and remain hidden while compromising app security.
Snowblind specifically targets banking apps by exploiting accessibility services, allowing cybercriminals to steal login credentials and hijack banking sessions for unauthorised transactions, leading to financial loss. It also disables security features like two-factor authentication (2FA) and biometric verification, and exfiltrates sensitive personal and transaction data, increasing the risk of fraud.
New direction
“As concerning as Snowblind is, what stands out even more from our analysis is the underlying seccomp-based technique it employs,” said Benjamin Adolphi, head of security research at Promon. “This method, beyond its current malicious use, demonstrates a potential for far-reaching applications and could signify a new direction in attack strategies.
By leveraging seccomp in this novel way, Snowblind not only circumvents existing security measures but also opens up possibilities for a broader range of attacks.”
Henning Treichl, VP product management at Promon, also added: “Having recently spent time in the region to learn more about the devastating impact of specialised banking malware, I’ve observed a clear and undeniable trend. South East Asia is witnessing a sharp rise in cyberattacks as malicious actors try to exploit its financial sectors with increasingly sophisticated cyberthreats.”
