Bratislava – May 22, 2020 – ESET researchers discovered an extremely stealthy – yet surprisingly simple – technique that allowed Android malware to stay under the radar. Analyzing the DEFENSOR ID app that was – at the time – available on the official Android app store, ESET researchers learned the app misused Accessibility Services but required no other suspicious permission nor had any other malicious functionality.
“The Accessibility Services feature is long known to be the Achilles’ heel of the Android operating system, and security solutions have been tuned to detect various combinations of misuse of this weak spot with other indicators of malicious behavior,” explains Lukáš Štefanko, the ESET malware researcher who conducted the analysis into DEFENSOR ID.
Faced with malware that displayed no additional functionality nor suspicious permissions on top of Accessibility Services, all known security mechanisms failed to trigger any alarm. As a result, DEFENSOR ID made it onto the Google Play store, stayed there for a few months and was never detected by any security vendor participating in the VirusTotal program.
“This has been a valuable lesson for us. Based on what we’ve learned about DEFENSOR ID, we’ve fine-tuned our detection technologies to also cover malware with such a uniquely low detection cross-section,” says Štefanko.
Apart from being extremely stealthy, DEFENSOR ID is capable of inflicting serious harm on its victims. It belongs to the banking trojans malware category and is exceptionally insidious: once installed, it needs its victim to take only one action to fully unleash its power.
“Once the user activates Accessibility Services, DEFENSOR ID can pave the way for the attacker to clean out the victim’s bank account or cryptocurrency wallet and take over their email or social media accounts, among other malicious actions,” comments Štefanko.
Following ESET’s notice, Google removed DEFENSOR ID from the official Android app store.
“We decided to publish the results of our investigation into this malware to help defenders cope with ultra-low cross-section Android malware. The creators of such malware are definitely going to face hardened protections around both Google Play and the users’ devices,” concludes ESET’s Štefanko.
For more details, read “Insidious Android malware gives up all malicious features but one to gain stealth” on WeLiveSecurity.com. Make sure to follow the ESET Research account on Twitter for the latest news from ESET Research.
The DEFENSOR ID app on Google Play – Portuguese version (Google Translate: “Your new Defensor app available for: / Physical People / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.