A new Android banking malware was found exploiting weaknesses in the Android manifest extraction and parsing procedure to perform information stealing operations. The malware is reported to be capable of evading standard security measures found in Android, making use of Android routine to parse and extract APK manifests, which is used to define the structure and store the Metadata of an application.
The malware was found to be capable of stealing user information including IP addresses, contact lists, account details, SMS messages, photos, videos, and online banking digital certificates. This exfiltration by the malware was found to be controlled remotely via a server, and could also receive commands to perform malicious activities. These include deleting existing or adding contacts, sending an SMS message, setting ringtone volume levels, and turning the debug mode on and off on a device.
While the method of infection of devices is unclear, researchers suggest that the malware may be rechecking devices over third-party Android stores and unsafe websites. Researchers also suggest that the malware may be spread through updates for apps with malicious code in legitimate apps.
The malware was first detected and analysed by Kaspersky researchers, who found that the malware can use malicious APKs to fool security tools and evade analysis. Researchers further reported that the malware uses three different approaches that involve manipulation of the manifest file’s compression and size, to bypass checks in the Android operating system.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
Like many malicious Android apps, the malware hides its icon upon installation in a device, making it more difficult to remove and detect. However, it remains active in the background, sharing the stolen data with threat actors.
