_Frank_Herholdt_alamy.jpg?disable=upscale&width=1200&height=630&fit=crop)
June 26, 2024 at 09:06AM
“Snowblind,” a new malware targeting Southeast Asian banking apps, exploits the Linux security feature “seccomp” to isolate applications from detecting tampering, thwarting existing anti-tampering measures. This forces developers and security experts to adapt and find new strategies to counter such attacks, as traditional defense mechanisms become less effective against this innovative approach.
From the meeting notes, it is clear that a new type of malware called “Snowblind” is employing sophisticated tactics to target at least one banking app in Southeast Asia.
The malware is leveraging the “seccomp” security feature in Android in order to trap and modify system calls, effectively isolating an application from detecting malicious tampering. By repackaging an app with a library that includes a seccomp filter, Snowblind misdirects the signals that an app needs to detect tampering, allowing it to perform malicious actions such as stealing credentials and intercepting two-factor authentication codes.
The report highlights that existing anti-tampering measures, such as checking for untrusted accessibility services and protecting code with obfuscation, are being circumvented by Snowblind. Additionally, developers are facing challenges in defending against this new malware due to the fundamental role of seccomp in protecting various systems and applications.
As a response, it’s mentioned that there isn’t an obvious and comprehensive solution to defend against Snowblind’s tactics, given the crucial role of seccomp in protecting systems. The report also indicates that Dark Reading has reached out to Google for information on defending against Snowblind.
Overall, the meeting notes suggest a significant challenge for developers and organizations in defending against this advanced form of malware. It emphasizes the need for innovative and comprehensive approaches to mitigate the threat posed by Snowblind and similar attacks.