A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    7
    ·
    5 months ago

    Snowblind targets apps that handle sensitive data by injecting a native library which loads before the anti-tampering code, and installs a seccomp filter to intercepts system calls such as the ‘open() syscall,’ commonly used in file access.

    When the APK of the target app is checked for tampering, Snowblind’s seccomp filter does not allow the call to proceed and instead triggers a SIGSYS signal indicating that the process sent a bad argument to the system call.