Ingenious! The Android malware which only triggers if you’re moving

If it detects no motion, it assumes it's being analysed by a security researcher.

Ingenious! The Android malware which only activates if you're moving

It’s a truth universally acknowledged that malware authors don’t like security companies detecting their malicious code. Or indeed app stores detecting their shenanigans and preventing them from gaining access to a potential pool of millions of users.

And so, over the years, creators of viruses, worms and Trojan horses have used a variety of methods in an attempt to detect whether their code is being analysed and refuse to activate.

The bad guys’ hope is that if their code does not execute its malicious payload, automated analysis may overlook it, and researchers may simply move on to the next piece of potential malware on the conveyor belt.

What I haven’t heard of before is a technique used by some malicious Android apps, which can tell the difference as to whether they are being analysed within the emulators beloved of security research labs or running on a genuine victim’s device.

As the experts at Trend Micro describe, malicious Android apps in the official Google Play Store are using the motion-sensors of infected devices:

The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.”

If the apps fail to detect any movement (which is - of course - unlikely in a sandbox environment in a research lab!), they refuse to activate their malicious payload.

If, however, there has been movement, the apps display a fake system update dialog which attempts to trick the poor user into installing a piece of banking malware called Anubis.

Anubis update


The two offending apps detected by the researchers at Trend Micro (Currency Converter and BatterySaverMobi) have been removed from the Google Play Store. I wonder how many others might be trying the same trick.

Tags: , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.