A Banking Trojan Will Bypass Android 6 Security


A modified piece of malware can now force its way to bypass two fundamental security features introduced in Android 6. A case of social engineering more-so than exploiting any vulnerabilities.

The tussle between malicious hackers and mobile security researchers is going to be a fiercely fought one as mobile penetration soars around the world. Android is the most widely used mobile operating system around the world and it comes as little surprise that malware authors frequently target the platform.

Developers of Android at Google have baked-in security features in the latest release of Android – 6.0 Marshmallow. Two of them, however, are susceptible to being bypassed by a tweaked version of a mobile banking Trojan, dubbed Gugi.

More specifically, they are:

  • Permission-based app overlays, a feature that sees users authorize or deny apps to lay their interface over other apps.
  • A dynamic permission requirement, for sensitive in-app activities that include SMS texts or phone calls.

Kaspersky Lab uncovered the modified version of the Gugi banking Trojan and has revealed upon further analysis that a 4-month period between April and August this year saw a ten-fold increase of victims of the malware.

Typically, a banking malware works by placing a fake banking app interface on top of the user’s genuine bank application or browser window, in an effort to steal banking credentials by harvesting the log-in details. Android 6.0’s new security features made it harder for such malware to get away with theft by forcing apps to seek the user’s application before they could overlay atop other apps.

The tweaked version of Gugi, however, comes with a not-so-subtle way of getting around the security feature.

A spam SMS usually delivers the link to the payload of the Trojan, tricking users into thinking they’re downloading a photo. Once installed, the malware states it requires “additional rights to work with graphics and windows.” For this to occur, the malware simply throws up a button stating “provide.”.

If the user agrees, he or she is taken to the app overlay settings screen with the malware seeking authorization for app overlay. It doesn’t stop there. After being cleared for app overlay, it also asks for device administrator rights. Then, it proceeds to ask permission to send and view SMS, as well as to make calls.

If the user disagrees with any of the permissions sought, the malware gets nasty by blocking the device completely. The only way to get around it is for the Android user to reboot the device in safe mode before trying to remove or uninstall the Trojan.

LIFARS always recommends that Android users do not agree to hand over rights automatically whenever an application seeks permissions. Understanding the kind of permissions that are sought and why they required, if at all, is a good practice in using your discretion.

Image credit: Pixabay.