Can disable 2FA or biometric verification methods increasing fraud risk
Co-opts accessibility features to view screens remotely
Exploits Linux kernel feature seccomp for access
First discovered by cybersecurity firm Promon, analysis published in report
Impacts one banking app in Southeast Asia, not found on Google Play Store yet
New Android malware strain named Snowblind identified
Steals banking login information and interrupts transactions
In recent cybersecurity news, a new malware strain named Snowblind has been identified that targets Android users by exploiting the Linux kernel feature seccomp. This malware co-opts accessibility features to view victims' screens remotely and steal banking login information or interrupt transactions. It can also disable two-factor authentication (2FA) or biometric verification methods, increasing the risk of fraud or identity theft.
Snowblind was first discovered by cybersecurity firm Promon, who analyzed how it achieves its goal undetected. The malware abuses seccomp to effectively sandbox repackaged apps and set up a filter to look for system commands that might apply to it, redirecting them to benign code.
One banking app in Southeast Asia has been identified as being impacted by Snowblind. Google has stated that based on its current detection, no Snowblind apps are found on the Google Play Store.
Snowblind is a serious threat to Android users and highlights the importance of keeping devices updated with the latest security patches and using reputable sources for app downloads.
It's important to note that this is not an exhaustive list of all facts related to Snowblind, but rather a summary of some key points. For a more comprehensive understanding, it's recommended to read the original reports from Promon and other trusted cybersecurity sources.
Snowblind is an Android malware that abuses a security feature called seccomp to bypass existing anti-tampering protections in apps handling sensitive user data.
The goal of Snowblind is to repackage target apps and make them unable to detect abuse of accessibility services, allowing it to obtain user input such as credentials or gain remote control access.
Snowblind abuses seccomp, a Linux kernel feature used by Android for integrity checks on applications, turning it into an attack tool.
Promon analyzed how Snowblind achieves its goal undetected after receiving a sample from i-Sprint.
Accuracy
Snowblind targets apps handling sensitive data by injecting a native library before the anti-tampering code and installing a seccomp filter to intercept system calls like 'open()'
Snowblind can be used to disable security features like two-factor authentication or biometric verification, read sensitive information displayed on the screen, control apps, bypass security measures and exfiltrate sensitive personally identifiable information and transaction data.
Hackers from Southeast Asia have developed a new malware called Snowblind that exploits the seccomp security feature in Android to isolate and tamper with applications.
Snowblind works by repackaging an app with a library containing a seccomp filter that traps and misdirects select system calls, allowing the malware to perform unchecked actions.
Accuracy
No Contradictions at Time
Of
Publication
Deception
(50%)
The article contains editorializing and sensationalism. The author uses phrases like 'hackers from Southeast Asia have turned Android’s own best application security mechanism against itself' and 'Snowblind works by abusing the ubiquitous and otherwise sterling Linux security feature seccomp'. These phrases are intended to grab the reader's attention and create a sense of urgency, but they also imply that the hackers are malicious actors by default, without providing any evidence or context. The author also uses the phrase 'next evolution' to describe Snowblind, implying that it is a significant threat when its specific capabilities and impact are not fully understood from the information provided in the article.
hackers from Southeast Asia have turned Android’s own best application security mechanism against itself
Snowblind works by abusing the ubiquitous and otherwise sterling Linux security feature seccomp
Fallacies
(95%)
The article contains an appeal to authority in the form of quotes from Jan Vidar Krey, vice president of engineering at Promon. However, this does not constitute a fallacy as long as the information provided is accurate and relevant to the topic.
"In security, nothing is bulletproof,"
"Everything can be circumvented to some extent, which is a harsh, brutal way of looking at it, but that's the reality."
A new strain of banking malware named Snowblind targets Android users by exploiting the Linux kernel feature seccomp.
Snowblind co-opts accessibility features to view victims' screens remotely and steal banking login information or interrupt transactions.
It can also disable two-factor authentication (2FA) or biometric verification methods, increasing the risk of fraud or identity theft.
Accuracy
No Contradictions at Time
Of
Publication
Deception
(100%)
None Found At Time Of
Publication
Fallacies
(85%)
The article contains a few informal fallacies and an example of inflammatory rhetoric. It also uses a somewhat sensationalist headline.
. . . it can also disable two-factor authentication (2FA) or biometric verification methods, which exposes victims to further risks of fraud or identity theft.
Southeast Asia is witnessing a sharp rise in cyberattacks as malicious actors try to exploit its financial sectors with increasingly sophisticated cyber threats.
Android users are automatically protected against known versions of this malware by Google Play Protect.
Snowblind Android malware named Snowblind that utilizes Linux seccomp feature to sandbox repackaged apps and steal data from banking apps in Southeast Asia.
AU10TIX, a Israel-based identity verification service, had its logging platform credentials exposed for over a year and were still functional as of June 2024.
Polyfill.io JavaScript service was compromised by a Chinese firm, leading to over 100,000 sites being impacted with malicious code causing site redirects.
Two threat clusters targeting critical infrastructure and government entities were identified: ChamelGang (China-linked group) and APT41/Andariel (China/North Korea-linked groups).
A man was arrested by Metropolitan Police in the UK for sending suggestive messages through a 'honey trap' WhatsApp account targeting politicians and journalists.
Rabbit R1 AI assistant gadget left critical API keys hardcoded, exposing ElevenLabs, Microsoft Azure, Yelp, Google Maps, and SendGrid APIs to potential misuse.
P2Pinfect ransomware now drops cryptominer and ransomware onto infected Redis servers since June 23rd.
Victims in the US lost almost $10 million worth of crypto assets to fake law firms posing as recovery services, asking for upfront fees or wallet information.
Accuracy
Snowblind is an Android malware that abuses a security feature called seccomp to bypass existing anti-tampering protections in apps handling sensitive user data.
Snowblind targets apps handling sensitive data by injecting a native library before the anti-tampering code and installing a seccomp filter to intercept system calls like ‘open()’, commonly used in file access.
Snowblind can be used to disable security features like two-factor authentication or biometric verification, read sensitive information displayed on the screen, control apps, bypass security measures and exfiltrate sensitive personally identifiable information and transaction data.
Snowblind is a new vulnerability that targets the Linux kernel feature seccomp on Android devices.
Only one specific app has been spotted with this vulnerability so far.
Accuracy
No Contradictions at Time
Of
Publication
Deception
(100%)
None Found At Time Of
Publication
Fallacies
(95%)
The author makes an assumption about the future actions of attackers based on the current state of the vulnerability. This is a form of Crystallball Fallacy.
That's the end of the good however, as the only reason it's not widespread is that attackers aren’t familiar with it, the moment they do familiarize themselves you can expect to see it leveraged far and wide.