NCSA Webboard
    • ล่าสุด
    • แท็ก
    • ฮิต
      • ติดต่อสำนักงาน
    • ลงทะเบียน
    • เข้าสู่ระบบ

    Snowblind Malware Abuses Android Security Feature to Bypass Security

    Cyber Security News
    1
    1
    40
    โหลดโพสเพิ่มเติม
    • เก่าสุดไปยังใหม่สุด
    • ใหม่สุดไปยังเก่าสุด
    • Most Votes
    ตอบ
    • ตอบโดยตั้งกระทู้ใหม่
    เข้าสู่ระบบเพื่อตอบกลับ
    Topic นี้ถูกลบไปแล้ว เฉพาะผู้ใช้งานที่มีสิทธิ์ในการจัดการ Topic เท่านั้นที่จะมีสิทธิ์ในการเข้าชม
    • NCSA_THAICERTN
      NCSA_THAICERT
      แก้ไขล่าสุดโดย NCSA_THAICERT

      A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data. Snowblind's goal is to repackage a target app to make them unable to detect abuse of accessibility services that allow it to obtain user input such as credentials, or to get remote control access to run malicious actions. Unlike other Android malware, though, Snowblind abuses 'seccomp', short for secure computing, a Linux kernel feature that Android uses for integrity checks on applications, to protect users against malicious actions such as application repackaging. Seccomp is a Linux kernel security feature designed to reduce the attack surface of applications by restricting the system calls (syscalls) they can make. It acts as a filter for the syscalls an app is allowed to run, blocking those that have been abused in attacks. Google first integrated seccomp in Android 8 (Oreo), implementing it in the Zygote process, which is the parent process of all Android apps. Snowblind targets apps that handle sensitive data by injecting a native library which loads before the anti-tampering code, and installs a seccomp filter to intercepts system calls such as the ‘open() syscall,’ commonly used in file access. When the APK of the target app is checked for tampering, Snowblind's seccomp filter does not allow the call to proceed and instead triggers a SIGSYS signal indicating that the process sent a bad argument to the system call. Snowblind also installs a signal handler for SIGSYS to inspect it and manipulate the thread's registers, the researchers explain in a report shared with BleepingComputer. This way, the malware can modify the ‘open()’ system call arguments to point the anti-tampering code to an unmodified version of the APK. Due to the targeted nature of the seccomp filter, the performance impact and operational footprint are minimal, so the user is unlikely to notice anything during normal app operations.

      ที่มาแหล่งข่าว
      https://www.bleepingcomputer.com/news/security/snowblind-malware-abuses-android-security-feature-to-bypass-security/

      0f1c561a-e107-4479-b2f2-8a12151f26fb-image.png

      1 การตอบกลับ คำตอบล่าสุด ตอบ คำอ้างอิง 0
      • First post
        Last post