FjordPhantom Android malware employs virtualization to target banks
Security experts have unearthed a fresh Android threat named FjordPhantom, distinguished by its sneaky tactics and concealed propagation methods.
Initially spotted in early September across Southeast Asia—specifically in Indonesia, Thailand, and Vietnam—the malware has been observed potentially affecting users in Singapore and Malaysia. It employs a blend of app-driven strategies and social manipulation, particularly targeting banking clientele.
Promon’s Security Research unit, in a recent advisory, disclosed acquiring a sample from an impacted user. They also revealed an incident where a FjordPhantom attack resulted in a substantial loss of 10 million Thai Baht (approximately $280,000 at the time).
Technically, the malware primarily spreads through email, SMS, and messaging platforms, coaxing users into downloading what appears to be an authentic banking app.
Once downloaded, a social engineering scheme unfolds, often supplemented by a call center, guiding users through app execution. This permits attackers to monitor user activities, potentially directing transactions or filching credentials.
The malware’s standout trait lies in its utilization of virtualization, incorporating open-source code from GitHub to embed a virtualization solution and hooking framework. By enclosing apps within virtual containers, FjordPhantom breaches the Android sandbox, granting different apps access to each other’s files and memory. This sidesteps conventional root access requisites, facilitating attacks and dodging root detection methods.
领英推荐
FjordPhantom embeds the APK of a specific targeted banking app, launching it within a virtual container unbeknownst to the user. This technique enables the malware to infuse additional code, including its own and the hooking framework, tailored for modular assaults on various banking apps.
The malware's high level of sophistication becomes evident through its manipulation of Accessibility services, GooglePlayServices, and UI functionality via the hooking framework. This maneuver eludes detection mechanisms and enables further assaults.
To combat this threat, Promon advocates for caution among end users when downloading apps from unverified sources or outside official app stores.
For Further Reference