The Fight against Malware: Code Hardening & Runtime Protection Are Key

• App developers and publishers play a crucial role in addressing malware risk. On top of implementing protection against accessibility services abuse, overlay, and screen recording attacks, the importance of their app’s resilience against static and dynamic analysis attacks should not be understated.
• Without protection against static and dynamic attacks, threat actors can create highly targeted malware for your app, disable the malware defenses you put in place, and repackage them into a convincing rogue version of your app to trick your users - like what happened to a well-known bank in Southeast Asia in 2023.
• While anti-malware security controls prevent threat actors from being able to exploit Android Accessibility services, perform overlay attacks, and spy on users’ input on your application, code hardening, and runtime integrity violation checks will protect your application from other static and dynamic analysis attacks.

Mobile app malware is a complex problem with no one-size-fits-all solution. As threat actors exploit vulnerabilities on three different layers: the device’s operating system (OS), app design, and users’ behavior, developers have an especially crucial role in addressing it. While it’s practically impossible for app developers to completely predict and control how malware could end up in their users’ devices, they are responsible for the resilience of their apps against malware attacks. That being said, developers must remember that a malware attack is only a subset of the broader mobile application security risks.

In this blog, we will show a real-world case study that highlights why code hardening and runtime protection are crucial components to protection against malware attacks.

A collective defense effort against malware

Government’s involvement in increasing vigilance

Governments around the world have exercised their pivotal role in educating citizens, businesses, and organizations on the risks associated with mobile malware. For instance, the US Cybersecurity Infrastructure Security Agency (CISA), the EU’s Agency for Cybersecurity (ENISA), and Singapore’s Cybersecurity Agency (CSA) have issued advisories, tools, and resources aiming to raise awareness about the increasing prevalence of malware attacks in their respective regions. Their involvement demonstrates the widespread nature of the malware problem which is indiscriminately affecting all Android users.

Google’s efforts in fighting Android malware

As the creator of the most popular mobile phone operating systems, holding close to 3/4 of the market share, Google has been ramping up its efforts in combating malware targeting its Android OS in recent years. These efforts include a tighter vetting process for apps being distributed through its official app store, limiting the developer’s use of Android Accessibility Service API - a frequently exploited attack vector - and the enhancement of Google Play Protect that allows for code-level real-time scanning for app installs. Despite all this, the number of Android malware attacks is still on the rise, with Google Play Store being one of the most popular ways for threat actors to distribute malware to Android users.

Developers’ crucial role in ensuring security

Given the increasing number of new mobile malware packages being released each year, the task of identifying the most appropriate protection mechanisms for each scenario might seem impossible. However, in our latest research on Android malware targeting the Financial Services sector, we discovered that most malware employs common attack methods to execute malicious activity which can be easily mitigated using a variety of techniques that leverage operating system capabilities for detection and deterrence. Unfortunately, the majority of financial services Android applications studied still show a severe lack of maturity in addressing them. You can learn more about each attack technique and how to address them in our Security Research Center:

• Accessibility services abuse
• Clipboard attacks
• Malicious keyboard attacks
• Task hijacking
• Screen recording attacks
• SMS spying attacks
• Overlay/ UI injection attacks

It is important to note, however, that the implementation of security controls against these attacks alone will not be able to completely protect your application and users.

Unobfuscated application: A more dangerous problem

Without proper code hardening and runtime protection, threat actors could easily study the application workflow, take note of how the application behaves, locate places of interest in the code, and modify their behavior at will. In the context of malware, this could lead to the creation of highly effective malware designed to steal information and commit numerous kinds of fraud. More concerningly, this allows for the creation of rogue versions of your application that are indistinguishable from the original app and used by attackers to trick your users into installing and using the malicious version of your application instead. Unfortunately, there is no easy way for a developer to recall an unprotected application once it has been published to the public, which highlights the importance of incorporating security early and throughout your mobile application development lifecycle.

Case study: Your malware defenses also need protection

In 2023, a well-known bank in Southeast Asia was targeted with a malware campaign that affected their Android banking app users. Upon this realization, the developers quickly jumped into action to study the malware’s attack methods before adding the required security controls to stop the malware in its tracks. For some time, these malware defenses were able to prevent the malware from being able to successfully attack the app. However, as soon as the attackers discovered that their malware was no longer effective due to the implemented defenses, they started to look for another way in.

Fortunately for the attackers, and unfortunately for the bank, the app was vulnerable to tampering and reverse engineering attacks. Consequently, the attackers were able to easily understand the app logic, remove the malware defenses, repackage the app, and redistribute the malicious copy to the bank’s end-users. Thankfully, the bank was able to remediate the problem before further damage was done. As we can see, although malware defenses are effective, without proper static and dynamic code protection, they can be easily identified and disabled on disk or in memory. A single layer of defense is never going to be enough.

Guardsquare protects your app and your malware defenses

To ensure an effective malware defense strategy, developers should layer their malware security controls with code hardening and runtime application self-protection (RASP) tools like DexGuard. So while your anti-malware protection prevents threat actors from being able to exploit Android Accessibility services, perform overlay attacks, and spy on users’ input on your applications, DexGuard’s diverse code obfuscation techniques, robust data encryption, and runtime protection will protect your app from other static and dynamic analysis attacks. Moreover, with Guardsquare’s polymorphic protection approach, developers can automatically ensure that no protection configuration is the same on each release, resetting the clock for the attackers.

Taking it steps further, developers should also consider performing regular mobile application security testing early in the development process to prevent unintentional introduction of security vulnerabilities. An automated MAST tool like AppSweep enables developers to do this without additional overhead while remaining agile in addressing your mobile application dependencies and security issues. Lastly, maintaining visibility into how your applications are being attacked with real-time threat monitoring tools like ThreatCast, will enrich your anti-fraud strategies, allowing you to stay on top of the ever-evolving threat landscape.