Symantec is warning Android users to watch out for a banking malware that is whitelisting itself to stay active and monitored by attackers.
The latest variants of the Android.Fakebank.B malware have used social engineering to bypass the battery-saving functions and constantly stay active in the background of Android devices. the company says.
The malware does this by displaying a popup that asks users to add the malware to the battery optimisations exceptions whitelist. If accepted, the malware stays connected to command and control servers at all times.
The malware can also bypass Doze, the power-saving feature in Android Marshmallow (6.0). Doze can initially conserve battery by restricting apps' network and CPU access, and Symantec says Doze is a 'hurdle' for banking malware that attempts to connect to command and control servers.
Figure 1: Code responsible for triggering Battery Optimisations exceptions whitelist pop-up
Symantec says that Marshmallow classes permissions as normal, dangerous and above dangerous. Those classed as normal are automatically approved and can't be disabled.
The malware uses the REQUEST_IGNORE_BATTERY_OPTIMISATIONS, a permission that is classified as normal. As a result, a popup appears that can trick users to allow the malware to bypass Doze restrictions.
Figure 2: Malware prompt claims that the app is called “Chrome” and requests whitelisting
Symantec recommends that users:
- Keep mobile device software up to date
- Only install apps fron trusted sources
- Do not download apps from unfamiliar sites
- Scrutinise what permissions the apps want and why
- Use mobile security apps to protect data and devices
- Make regular backups of important data