It’s a truth universally acknowledged that malware authors don’t like security companies detecting their malicious code. Or indeed app stores detecting their shenanigans and preventing them from gaining access to a potential pool of millions of users.
And so, over the years, creators of viruses, worms and Trojan horses have used a variety of methods in an attempt to detect whether their code is being analysed and refuse to activate.
The bad guys’ hope is that if their code does not execute its malicious payload, automated analysis may overlook it, and researchers may simply move on to the next piece of potential malware on the conveyor belt.
What I haven’t heard of before is a technique used by some malicious Android apps, which can tell the difference as to whether they are being analysed within the emulators beloved of security research labs or running on a genuine victim’s device.
As the experts at Trend Micro describe, malicious Android apps in the official Google Play Store are using the motion-sensors of infected devices:
“The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.”
If the apps fail to detect any movement (which is – of course – unlikely in a sandbox environment in a research lab!), they refuse to activate their malicious payload.
If, however, there has been movement, the apps display a fake system update dialog which attempts to trick the poor user into installing a piece of banking malware called Anubis.
Ingenious!
The two offending apps detected by the researchers at Trend Micro (Currency Converter and BatterySaverMobi) have been removed from the Google Play Store. I wonder how many others might be trying the same trick.