An Android banking malware has been discovered that whitelists itself on a battery-saving process to bypass restrictions and stay active in the background of Android devices.
Symantec, a U.S. Internet security company alerts that the malware called Android.Fake.bank.B, have been updated to work around the battery-saving process Doze.
The malware displays a pop-up message asking the user to add the threat to the Battery Optimizations exceptions whitelist. If this technique works, then the malware can stay connected to command and control servers even when the device is dormant.
Doze is a power-saving feature in Android 6.0 Marshmallow. When a user does not use an unplugged device for a period of time, the device enters Doze mode. This allows the OS to conserve battery by restricting apps’ access to network and CPU-intensive services.
This feature is a hurdle for banking malware running in the background and connecting to an attacker’s server to receive commands.
To bypass Doze’s restrictions, Android.Fakebank.B triggers a pop-up message asking the user to add the app to the Battery Optimizations exceptions whitelist. Apps that are added to the whitelist do not follow Doze’s restrictions, allowing them to stay connected to their command and control servers in the background regardless of battery conditions, explains Symantec.
Explaining how the whitelisting technique works, the Internet security company says Marshmallow’s dynamic permission model defines permissions as either normal, dangerous, and above dangerous. Permissions determined as normal are approved automatically and cannot be disabled through appinfo permissions.
According to Symantec, the intent causes a pop-up message to appear and users may be tricked into allowing the threat to bypass Doze’s restrictions if the malware poses as a legitimate app.
If the user accepts the prompt’s request, the malware will be added to the Battery Optimization exception whitelist, allowing it to stay connected to its attacker’s remote location even when the device is inactive.
Symantec recommends that users follow these best practices to stay protected from mobile threats:
- Keep your software up to date.
- Do not download apps from unfamiliar sites.
- Only install apps from trusted sources.
- Pay close attention to the permissions requested by apps.
- Install a suitable mobile security app to protect your device and data.
- Make frequent backups of important data.