ESET researchers discovered an extremely stealthy – yet surprisingly simple – technique that allowed Android malware to stay under the radar. Analyzing the DEFENSOR ID app that was – at the time – available on the official Android app store, ESET researchers learned the app misused Accessibility Services but required no other suspicious permission nor had any other malicious functionality.
“The Accessibility Services feature is long known to be the Achilles’ heel of the Android operating system, and security solutions have been tuned to detect various combinations of misuse of this weak spot with other indicators of malicious behavior,” explains Lukáš Štefanko, the ESET malware researcher who conducted the analysis into DEFENSOR ID.
Faced with malware that displayed no additional functionality nor suspicious permissions on top of Accessibility Services, all known security mechanisms failed to trigger any alarm. As a result, DEFENSOR ID made it onto the Google Play store, stayed there for a few months and was never detected by any security vendor participating in the VirusTotal program.
“This has been a valuable lesson for us. Based on what we’ve learned about DEFENSOR ID, we’ve fine-tuned our detection technologies to also cover malware with such a uniquely low detection cross-section,” says Štefanko.
Apart from being extremely stealthy, DEFENSOR ID is capable of inflicting serious harm on its victims. It belongs to the banking trojans malware category and is exceptionally insidious: once installed, it needs its victim to take only one action to fully unleash its power.
“Once the user activates Accessibility Services, DEFENSOR ID can pave the way for the attacker to clean out the victim’s bank account or cryptocurrency wallet and take over their email or social media accounts, among other malicious actions,” comments Štefanko.
Following ESET’s notice, Google removed DEFENSOR ID from the official Android app store.
“We decided to publish the results of our investigation into this malware to help defenders cope with ultra-low cross-section Android malware. The creators of such malware are definitely going to face hardened protections around both Google Play and the users’ devices,” concludes ESET’s Štefanko.