Select Page

Malware uses social engineering to bypass battery-saving process.

Graham Cluley

Android banking malware remains active when infected devices sleep to save power

Doze malware

A new Android banking trojan can stay connected with its command & control servers, even after infected devices have gone dormant.

At issue here is something known as Doze.

First introduced in Android 6.0 Marshmallow, Doze is a power mode that activates once a user hasn’t interacted with their device for a period of time.

Once Doze is activated, the Android operating system restricts applications’ access to the network and other services on the phone to conserve battery…

Doze

…that is, unless it’s included in the Battery Optimizations exceptions whitelist.

Therein lies the rub. A malicious program simply needs to add itself to that whitelist.

To accomplish that aim, variants of the trojan Android.Fakebank.B are leveraging social engineering techniques. Specifically, they’re invoking REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, a permission which is automatically approved and which causes a pop-up message to display to the user.

Prompt

Android.Fakebank.B disguises itself as a legitimate app – for instance, the Chrome browser – to trick a user into granting them the necessary permission.

Regardless of whatever mask it is wearing, you don’t want to click “Yes.” Dinesh Venkatesan of Symantec Security Response explains why:

“If the user accepts the prompt’s request, the malware will be added to the Battery Optimization exception whitelist, allowing it to stay connected to its attacker’s remote location even when the device is inactive.”

Battery optimisation

Once that’s all said and done, the malware has free reign to read a victim’s SMS messages, install shortcuts, and check the phone’s status.

The malware’s main functionality is to check to see if any of the following banking applications are installed on the infected device:

  • nh.smart
  • com.shinhan.sbanking
  • com.webcash.wooribank
  • com.ATsolution.KBbank
  • com.hanabank.ebk.channel.android.hananbank

If the trojan finds one of those apps, it will delete it and ask the user to install a malicious copy, at which point it can lay in wait to steal a victim’s banking credentials.

2013 101114 5645 99 3

To be sure, Android.Fakebank.B is far from the first malware that’s used social engineering, and it certainly won’t be the last.

With that in mind, users should maintain an up-to-date anti-virus solution on their devices and should never click on suspicious links or email attachments.

You should also be on the lookout for apps that request (an inordinate amount of) permissions that don’t coincide with their advertised functions, i.e. “Chrome” asking for to be placed on the Battery Optimization exceptions whitelist.

Common sense is your best friend when it comes to your digital security. Use it!