New Android Malware Turns Security Features Against Itself

Symantec has discovered a new line of Android malware infections that turn the operating system’s own services against itself. “Android.Spywaller” poses as a legitimate Google Service designed to protect users via firewall to attack a user’s phone, rooting it from the inside out and installing a number of standard tracking packages including keyloggers and screen-grabbers.

Masquerading as the popular “Qihoo 360” antivirus app in China, the malware has been manufactured to effectively “trick” Android’s detection services into thinking that the malicious package is actually there to keep the user safe, rather than open them up to even more attacks.

It does this through a publicly available slice of code known as “DroidWall”, as Symantec’s Security Response team explains:

“The malware then drops and runs a firewall binary called DroidWall (a customized version of iptables for Android), and creates firewall rules that will block the targeted security application (in this case Qihoo 360) by referencing its UID. These days, many security scanners rely on the cloud to deliver protection, and blocking their communication would significantly compromise that ability.”

Photo: Symantec

Photo: Symantec

From the initial scan and dissection of the malware, Symantec’s engineers say they’re confident that both the target of the malware and the confines of its spread have been limited to the Chinese market.

China is one of only a few countries that doesn’t have access to the official Google Play store, making it easier for malware to hide itself under the guise of an app that claims to be a Google service.

Symantec has provided no word yet on how many devices have been affected in the region. More news about the malware may emerge over the next few weeks as more tests are run and reports from various users who were duped come in.

For anyone who’s either owned an Android device in the past five years (or at least kept up on the news who’s launched an attack on it lately), you probably know all too well that the security situation over at Google has just been one hot mess after another.

Android accounts for the vast majority of mobile malware currently out there thanks to the hundreds of different devices, sporadic firmware updates, and lackluster support from third-party app developers.