Researchers at ESET, a global leader in the cybersecurity market, have identified a sneaky but surprisingly simple technique that allowed Android malware to remain undetected.
By analyzing the DEFENSOR ID App, available in the official Android App Store, ESET researchers discovered that the App was able to misuse accessibility services without requesting suspicious permissions or generating visible damage.
"Accessibility services have long been known to be the Achilles heel of the Android operating system and cybersecurity solutions are aimed at detecting possible misuse through the use of suspicious behavior detectors" he explained Lukáš Štefanko by ESET Research, who conducted the analysis on DEFENSOR ID.
Faced with malware that showed no additional features or suspicious permission requests when exploiting accessibility services, no detection system highlighted any alerts. As a result, the App remained in the Google Play Store for months without any of the security providers included in the VirusTotal Program realizing it.
For us at ESET "This was a great lesson. Based on what we learned from ID DEFENSOR we updated our detection technologies to also identify malware that keeps a very low profile," said Štefanko.
In addition to being barely detectable, DEFENSOR ID is capable of inflicting serious damage on victims. It belongs to the category of banking Trojans and is exceptionally insidious: once installed, a single action by the user is enough to fully unleash its power.
“Once the user activates accessibility services, DEFENSOR ID is able to empty the victim's bank account or cryptocurrency wallet, hack the email or social media account,” comments Štefanko.
Following ESET's report, Google has removed ID DEFENSOR from the official Android App Store.
"We published the results of our investigation into this malware to help antivirus developers deal with low-impact malware attacks. From today, the hackers who developed this malware will be faced with more difficult to bypass protections on Google Play and user devices," concluded ESET's Štefanko.
More information on the subject at this link "Insidious Android malware gives up all malicious features but one to gain stealth”.
