Ingenious! The Android malware which only triggers if you’re moving

Graham Cluley

Ingenious! The Android malware which only activates if you're moving

Ingenious! The Android malware which only activates if you're moving

It’s a truth universally acknowledged that malware authors don’t like security companies detecting their malicious code. Or indeed app stores detecting their shenanigans and preventing them from gaining access to a potential pool of millions of users.

And so, over the years, creators of viruses, worms and Trojan horses have used a variety of methods in an attempt to detect whether their code is being analysed and refuse to activate.

The bad guys’ hope is that if their code does not execute its malicious payload, automated analysis may overlook it, and researchers may simply move on to the next piece of potential malware on the conveyor belt.

What I haven’t heard of before is a technique used by some malicious Android apps, which can tell the difference as to whether they are being analysed within the emulators beloved of security research labs or running on a genuine victim’s device.

As the experts at Trend Micro describe, malicious Android apps in the official Google Play Store are using the motion-sensors of infected devices:

“The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run.”

If the apps fail to detect any movement (which is – of course – unlikely in a sandbox environment in a research lab!), they refuse to activate their malicious payload.

If, however, there has been movement, the apps display a fake system update dialog which attempts to trick the poor user into installing a piece of banking malware called Anubis.

Anubis update

Ingenious!

The two offending apps detected by the researchers at Trend Micro (Currency Converter and BatterySaverMobi) have been removed from the Google Play Store. I wonder how many others might be trying the same trick.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES