Ingenious! The Android malware which only triggers if you’re moving

If it detects no motion, it assumes it’s being analysed by a security researcher.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Ingenious! The Android malware which only activates if you're moving

It’s a truth universally acknowledged that malware authors don’t like security companies detecting their malicious code. Or indeed app stores detecting their shenanigans and preventing them from gaining access to a potential pool of millions of users.

And so, over the years, creators of viruses, worms and Trojan horses have used a variety of methods in an attempt to detect whether their code is being analysed and refuse to activate.

The bad guys’ hope is that if their code does not execute its malicious payload, automated analysis may overlook it, and researchers may simply move on to the next piece of potential malware on the conveyor belt.

Sign up to our free newsletter.
Security news, advice, and tips.

What I haven’t heard of before is a technique used by some malicious Android apps, which can tell the difference as to whether they are being analysed within the emulators beloved of security research labs or running on a genuine victim’s device.

As the experts at Trend Micro describe, malicious Android apps in the official Google Play Store are using the motion-sensors of infected devices:

“The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.”

If the apps fail to detect any movement (which is – of course – unlikely in a sandbox environment in a research lab!), they refuse to activate their malicious payload.

If, however, there has been movement, the apps display a fake system update dialog which attempts to trick the poor user into installing a piece of banking malware called Anubis.

Anubis update

Ingenious!

The two offending apps detected by the researchers at Trend Micro (Currency Converter and BatterySaverMobi) have been removed from the Google Play Store. I wonder how many others might be trying the same trick.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.