Android Malware Whitelists Itself to Stay Active While Your Phone Sleeps

An Android banking trojan is requesting users to whitelist its process against the Android Doze power saving module in order to stay connected to its command and control (C&C) servers and continue its malicious behavior.

The name of the banking trojan is Android.Fakebank.B, seen for the first time over three years ago.

In its most recent iteration, the trojan’s creators have added a new mechanism to bypass Android’s Doze component.

Banking trojan finds a way to remain alive on Android 6.0

Doze is a battery power-saving component that Google added to Android 6.0 Marshmallow. Doze is nothing more than a whitelist of applications that are permitted to function in the phone’s background while the device has been put to sleep.

Apps can ask users for permission to operate as normally while the phone’s screen has been turned off and the phone locked. This is generally done by a simple permissions popup, shown when installing the app, or at a later time.

Doze permissions popup
Doze permissions popup (via Symantec)

If the user approves, the app is added to a list of permitted apps.

Battery Optimization settings section
Battery Optimization settings section (via Symantec)

The problem, according to Symantec researcher Dinesh Venkatesan, who discovered this latest trick, is that the permission’s “danger” level doesn’t trigger a warning from the OS.

“The permission required to fire this intent is REQUEST_IGNORE_BATTERY_OPTIMIZATIONS which is classified as normal,” the researcher explains. “Marshmallow’s dynamic permission model defines permissions as either normal, dangerous, and above dangerous. Permissions determined as normal are approved automatically and cannot be disabled through appinfo permissions.”

This means that once the app where the banking trojan has been hidden requests this permission, the user must visit the Doze battery power saving whitelist and remove the app by hand.

In the Android settings, the Doze exceptions whitelist is found in the Battery Optimization section.

While most malware can operate offline, complex malware families such as banking trojans, remote access trojans, or ransomware, often perform best when having a constant connection to their online C&C server.

Ever since Google released Android 6.0 last year, malware coders have been busy creating bypasses for various of the operating system’s innovative security measures.

Leave a Reply