SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

Malicious banker tries to bypass Android Marshmallow security barriers (September 16, 2016)


The Android Ecosystem has seen an influx of malicious entities that employ a number of tricks to steal sensitive user related information. One such trick is to draw an overlay on the screen on top of a legitimate application. With this overlay on top of the screen, the victim believes information is being passed to a legitimate app but in reality it is stolen by the malicious app via this overlay. We have seen a number of malicious apps do this in the past with the intent of stealing banking related user information.

New security features are added with every new release of the Android OS, with the recent outbreaks of malware and vulnerabilities more so. One such feature was added in Android Marshmallow to combat against malicious apps that use overlays.

  • Until Lollipop (Android version: 5) the ability to draw over other apps was included in the list of permissions presented to the user during app installation
  • Android marshmallow has a dedicated setting for overlays in Apps > Configure Apps > Draw over other apps
  • Users can now see which apps have the ability to draw overlays over other apps, they can thereby choose to allow/disallow this permission for a particular app

The ability to see which apps can create an overlay provides a good degree of control to the user, malicious entities have been at work trying to circumvent this security feature. Dell SonicWall Threats Research Team got reports about one such strain of Android malware that tries to do this.

The malicious app tries to coax the user into providing necessary permissions with a bit of reasoning. The user sees a screen stating that some rights are required by the app to work with graphics and windows (Figure 3). The next screen specifically asks the user to permit the app to draw an overlay over other apps (Figure 4).

Once the user grants this permission, the malware is unshackled from the Marshmallow's restriction about overlays. It wastes no time in covering the entire screen with an overlay that asks the user to activate administrative privileges, as expected the user is left with no option but to grant this permission as there is just one button "Provide".

Malicious applications strive to get Administrative rights to make it difficult for victims to uninstall the app from the device, same is the case with this app:

In Android Marshmallow permissions are requested as they are used by the apps, this contrasts the permission model of previous Android versions where all the permissions were requested during app installation. After receiving Administrative privileges this app requests for permissions to make phone calls and access SMS:

Permission handling is a unique aspect of this malicious app, apart from that this is a fairly generic Banking trojan. The characteristics of this threat are briefly summarized as follows:

  • This threat specifically monitors presence of a Banking app on the device - Sberbank Online which is a Russian banking mobile app

  • It saves sensitive data present on the device like SMS messages in its database lime.db
  • It has capability to receive and execute commands from the attacker
Android OS is a constantly evolving entity, with every new version come new enhancements and changes. At the same time attackers try hard to keep up with the new changes and constantly hunt for vulnerable openings in Android. This malware is an excellent example of the eternal game between the two.

Although this malware is a simple banker trojan, it employs mechanisms to overcome new restrictions imposed by Android Marshmallow, it won't be surprising if other malware strains are spotted in the wild with this technique in the near future.

Dell SonicWALL provides protection against this threat via the following signature:
  • GAV: AndroidOS.Gugi.DZ (Trojan)
We found multiple MD5's exhibiting this behavior during our analysis. Some of them are listed below:
  • c719d7b1918556cbe8b980fe606f2905
  • 41ca089270755881ae8c11cca57c3657
  • 5ca073098106d64854e54a407881c859
  • 2009bde5631710e7e94c41d012de5c47
  • ec23e524883d766aa119e684144ee7e9
  • 8ef9b2581c993f549b9971d8eeb8abc9
  • 6687a23209011bbecfe19f59ae6dc5d7
  • c196cec0be2f85d539ec51d0c738f417
All the samples mentioned above have the package name ru.drink.lime

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2021 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 17.3 | S1MSW04