Snowblind (Trojan) – Malware

Overview

In early 2024, a new threat emerged in the Android malware landscape, introducing a novel attack vector that has garnered significant attention from cybersecurity experts. This malware, named Snowblind, represents a sophisticated evolution in the realm of banking trojans, specifically targeting financial institutions in Southeast Asia.

What sets Snowblind apart from its predecessors is its innovative use of a Linux kernel feature known as seccomp (secure computing). Traditionally employed for sandboxing applications and limiting their system call capabilities, seccomp has been repurposed by Snowblind to circumvent robust anti-tampering mechanisms and execute its malicious activities undetected.

Snowblind’s attack methodology challenges conventional defenses by exploiting seccomp to bypass app security measures that are typically effective against repackaging and tampering. Unlike earlier threats that relied on more common techniques such as repackaging and accessibility service abuse, Snowblind utilizes a less well-known but potent approach that manipulates seccomp filters.

By doing so, it undermines the integrity checks of targeted applications, allowing it to operate stealthily and efficiently. This sophisticated maneuver underscores the malware’s ability to adapt to and overcome advanced security mechanisms, highlighting a troubling trend in malware development.

Targets

Individuals

How they operate

Exploitation of Seccomp

Seccomp is a Linux kernel feature designed to restrict the system calls a process can make, thus minimizing potential attack vectors. Originally introduced in a restrictive mode and later enhanced with seccomp-bpf (Berkeley Packet Filter), it provides a way to enforce security policies at the system call level. Snowblind exploits this feature by injecting a malicious library into the target banking application. This library sets up a seccomp filter that intercepts and modifies specific system calls, particularly open(), which is crucial for detecting file access and modifications.

When Snowblind’s injected library sets up the seccomp filter, it permits all system calls except open(). The malware uses this filter to return a specific result (SECCOMP_RET_TRAP) when open() is called. This result triggers a SIGSYS signal, which the malware can intercept. By handling this signal, Snowblind can alter the arguments of the open() call, redirecting it to access the unmodified version of the application. This redirection effectively bypasses anti-tampering mechanisms that rely on detecting alterations to the app’s file.

Technical Execution

Snowblind’s technical execution involves several key steps:

Library Injection: The malware injects a custom library into the target banking application. This library is loaded during the application’s initialization process, before any anti-tampering code can run.

Seccomp Filter Installation: The injected library sets up a seccomp filter that intercepts all open() system calls. This filter is designed to return a trap for these calls, allowing the malware to intercept and modify their behavior.

Handling System Calls: When an open() call is detected, the seccomp filter causes the kernel to generate a SIGSYS signal. Snowblind’s library has a signal handler for SIGSYS that inspects and alters the system call arguments. By redirecting the open() call to the original, unmodified APK, Snowblind bypasses checks that would otherwise detect tampering.

Evasion of Detection: This manipulation ensures that any file access attempts, including those checking for tampered application files, are directed to the clean version of the app. Consequently, standard security measures and integrity checks fail to detect any modifications, allowing Snowblind to operate undetected.

Implications

Snowblind’s use of seccomp represents a sophisticated approach to malware development, leveraging legitimate security features to facilitate malicious activities. This technique not only demonstrates the innovative tactics of modern cybercriminals but also underscores the need for advanced security measures to counteract such sophisticated threats. As malware continues to evolve, understanding and mitigating these advanced techniques will be crucial for maintaining robust cybersecurity defenses.

MITRE Tactics and Techniques

Defense Evasion:

T1066: Indicator Removal from Tools – Snowblind’s use of seccomp to manipulate system calls and bypass anti-tampering mechanisms aligns with tactics to evade detection and hinder forensic analysis.

Execution:

T1203: Exploitation for Client Execution – Snowblind executes its malicious payload through sophisticated manipulation of system calls, exploiting vulnerabilities in application processes.

Persistence:

T1543: Create or Modify System Process – By injecting its own library into the target app, Snowblind ensures its continued operation and persistence even if the app is updated or checked for tampering.

Privilege Escalation:

T1068: Exploitation for Privilege Escalation – Snowblind’s ability to manipulate system calls might facilitate privilege escalation within the targeted app or system.

References:

• Beware of Snowblind: A new Android malware