Cybersecurity researchers have released a new sophisticated Android malware called . fjord phantom This has been observed since early September 2023 targeting users in Southeast Asian countries such as Indonesia, Thailand, and Vietnam.
“It primarily spreads through messaging services and uses a combination of app-based malware and social engineering to defraud bank customers,” Oslo-based mobile app security company Promon said in an analysis published Thursday.
The attack chain, propagated primarily through email, SMS, and messaging apps, tricks recipients into downloading a banking app that purports to have legitimate functionality but also contains malicious components. Masu.
Victims are then subjected to social engineering techniques similar to Telephone Oriented Attack Delivery (TOAD). In this technique, you call a fake call center and receive step-by-step instructions to run the app.
The main characteristic of this malware, unlike other banking Trojans of its kind, is that it uses virtualization to run its malicious code inside a container and fly unnoticed.
According to Promon, this sneaky technique breaks Android’s sandbox protection by allowing different apps to run on the same sandbox, allowing malware to access sensitive data without requiring root access. He says he will.
“Virtualization solutions, like those used by malware, can also be used to inject code into applications. This is because the virtualization solution first injects its own code (and whatever else is in the app) into a new process. and then load the hosted code, which is the application,” security researcher Benjamin Adolfi said.
In the case of FjordPhantom, the downloaded host app contains malicious modules and virtualization elements that are used to install and launch the target bank’s built-in app in the virtual container.
In other words, the fake app loads the bank’s legitimate app into a virtual container while simultaneously using hook frameworks within the environment to modify the behavior of key APIs and programmatically retrieve sensitive information from the application’s screen. and close the dialog box. Alert users of malicious activity on their devices.
“FjordPhantom itself is written in a modular manner to attack a variety of banking apps,” Adolphi said. “Depending on which banking apps are embedded with malware, different attacks are performed against these apps.”