A week after the story about how the malware on Android uses target_sdk attribute to circumvent Android Marshmallow security company Symantec said the technical details of the other two methods of circumvention. We are talking about banking Trojans Android.Bankosy and click-bot Android.Cepsohord, authors examine projects on GitHub in search of information on the methods of obtaining the list of running processes in the system.
This list allows attackers to learn about running programs and try to fraudulently lure logins and passwords for them. In versions prior to Lollipop (5.0) used the call getRunningTasks (), which has been removed in modern systems.
The first technique is taken from Symantec from the project on GitHub AndroidProcesses Jared Rammler. Needless his application is not malicious, but the attackers used a portion of its code to get a list of running applications. This method relies on reading the file “/ proc /”. Symantec said that this method works on Android Lollipop and Marshmallow, but not in the new version of N.
The second method uses the same project, as well as GeeksOnSecurity project called Android Malware Example. Suitable application programming interface UsageStatsManager API to get the process list. This API also contains a history of use of the device, including the previously used application.
Android.Bankosy and Android.Cepsohord use this API for querying worked in the last two seconds of application. UsageStatsManager API requires users to give applications elevated privileges to access the results. To get around this obstacle, hackers ask for permission, under the guise of an icon of Chrome.