There’s a new bug on the block, and it can fool your Android’s security system. This piece of malware, just discovered by Symantec tech security company, pretends to be part of your phone’s firewall. The company said that the malware has only affected people in China although they do not know how many have been infected.
What is Android.Spywaller?
Android.Spywaller is a piece of malware that has been designed to look like a Google Service, specifically part of the firewall. Your phone’s firewall is supposed to protect you against much malicious software, so this is an ingenious bit of irony. The malware is using the Android OS security services to defeat OS security. Posing as a security feature, the malware is allowed through your phone’s defenses. But how can this even be done? The attackers used DroidWall, Symantec explains, which is a firewall binary otherwise known as a customized version of iptables. DroidWall is available to the public, so that was an easy step. Using this DroidWall, the attackers then made their own firewall rules that effectively disabled the antivirus protection by blocking the app’s communication with a remote server. Without the antivirus app to block the malware, it slips by undetected.
Once it is inside, it begins rooting the phone so that it can install data trackers such as screen-grabbers and keyloggers. Users are none the wiser because even the phone thinks that the malware is a security feature. The designers made it look like the well-known and much downloaded Chinese mobile antivirus app Qihoo 360, the same app that the malware actually blocked so that it could replace it.
How Could This Happen?
We all know that there have been a lot of issues at Google lately, so app security has not really been at the level that we would have liked it to reach last year. There are so many different types of devices using Android, and firmware updates come a lot less often than is prudent. There have also been a lot of attacks designed for Android devices not only because of the security issues but because Android users far outnumber users of any other mobile OS. It can be hard to keep up with all the offensives.
In addition, Chinese users do not have the benefit of access to the official Google Play Store. There, security is tighter because apps are scanned better than they are on any third party app store. Chinese users can never be sure that they are getting a clean app unless they actually use a VPN and download their apps only from Google Play.
Finally, app developers must shoulder some of the blame. A lot of them are not careful about security when they develop their apps. They just want to get them out there to start generating income and so this is a big risk. After this, few developers actually update their apps and they are left in the open to actually provide easy ins for any spy or criminal.
Just Another Attack Vector?
The malware has been confined to China, as Symantec reported, and this has got us thinking. Tools like screen-grabbers and keyloggers are often used by cybercriminals to help them obtain bank logins and such. But these tools are never used alone, and the targets are not usually so confined to a certain region. Since the malware seems only to be interested in what phone users are viewing and typing, it really looks rather like a spy tool and not a criminal hack. Can this Android.Spywaller actually be a government experiment in cracking mobile phones? We do not have much information at the moment – and we may never know for sure – but we are reserving our suspicions just in case someone comes along to blow the whistle on Xi’s administration.