FjordPhantom Android malware uses virtualization to evade detection

Trending 3 months ago

Android in a container

A new Android malware called FjordPhantom has been apparent application virtualization to run awful cipher in a alembic and balk detection.

The malware was apparent by Promon, whose analysts address that it currently spreads via emails, SMS, and messaging apps targeting cyberbanking apps in Indonesia, Thailand, Vietnam, Singapore, and Malaysia.

Victims are tricked into downloading what appear to be accepted cyberbanking apps but accommodate awful cipher active in a basic ambiance to advance the absolute cyberbanking app.

FjordPhantom aims to abduct online case anniversary accreditation and dispense affairs by assuming on-device fraud.

Promon's address highlights a case of FjordPhantom burglary $280,000 from a distinct victim, fabricated accessible by accumulation the malware's ambiguous attributes with amusing engineering, such as calls allegedly from case chump account agents.

Virtualization as artifice on Android

On Android, assorted apps can run in abandoned environments accepted as "containers" for accepted reasons, such as active assorted instances of the aforementioned app application altered accounts.

FjordPhantom incorporates a virtualization band-aid from open-source projects to actualize a basic alembic on the accessory after the user knowing.

Upon launch, the malware installs the APK of the cyberbanking app the user advised to download and executes awful cipher aural the aforementioned container, authoritative it allotment of the trusted process.

With the cyberbanking app active central its basic container, FjordPhantom can inject its cipher to angle key APIs that accredit it to abduction credentials, dispense transactions, ambush acute information, etc.

In some apps, the malware's hooking framework additionally manipulates user interface elements to automatically abutting admonishing dialogs and accumulate the victim blind of the compromise.

FjordPhantom's virtualization attackFjordPhantom's virtualization attack
Source: Promon

Promon addendum that this virtualization ambush break the 'Android Sandbox' aegis concept, which prevents apps from accessing anniversary other's abstracts or interfering with their operations, as apps central a alembic allotment the aforementioned sandbox.

This is a decidedly base advance because the cyberbanking app itself isn't modified, so cipher analytical apprehension doesn't advice bolt the threat.

Moreover, by hooking APIs accompanying to GooglePlayServices, to accomplish them appear bare on the device, FjordPhantom hampers root-related aegis checks.

The malware's hooks alike extend to logging, potentially accouterment pointers to the developers on assuming added targeted attacks on altered apps.

Promon comments that this is a assurance of breath development, adorning the accident of FjordPhantom accretion its targeting ambit above the mentioned countries in approaching releases.