Android banking malware whitelists itself to stay connected with attackers


November 17, 2016

Recent variants of Android.Fakebank.B have been updated to work around the battery-saving process Doze. The variants display a pop-up message asking the user to add the threat to the Battery Optimizations exceptions whitelist. If this technique works, then the malware can stay connected to command and control servers even when the device is dormant.

Bypassing Doze

Doze is a power-saving feature in Android 6.0 Marshmallow. When a user doesn’t use an unplugged device for a period of time, the device enters Doze mode. This allows the OS to conserve battery by restricting apps’ access to network and CPU-intensive services. This feature is a hurdle for banking malware running in the background and connecting to an attacker’s server to receive commands.

To circumvent Doze’s restrictions, Android.Fakebank.B fires an ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS intent. This triggers a pop-up message asking the user to add the app to the Battery Optimizations exceptions whitelist. Apps that are added to the whitelist do not follow Doze’s restrictions, allowing them to stay connected to their command and control servers in the background regardless of battery conditions.

Read full story…