VPN Articles and News

New Android Malware Uses Firewall To Block Security Apps

By Paul Liu
Tuesday, July 19th, 2016

Security experts working at Symantec have come across a new type of Android malware which uses a firewall to block access to security apps. Dubbed as Android.Spywaller, the malware is different from other similar threats because it checks for and blocks a specific security app as well as relies on an open source Android firewall to carry out its nefarious activities. Symantec has published a detailed blog post regarding the malware on its website in order to increase awareness about the threat and warn users about the consequences of having the app installed on their devices.

As per the details published by Symantec, Android.Spywaller initially works like any other mobile security threat. Once it gets downloaded on a device, the malware hides its icon in order to avoid suspicion and works in the background to release an encrypted payload which gets loaded into the memory. Once the threat has been installed, it shows a “Google Service” app icon on the infected device’s interface. The interesting thing is that no such app or service actually exists on the Play store or is offered by the internet giant. After that, the malware attempts to root the device as well as steal sensitive information which it sends to a third party server.

The distinguishing factor about the threat is that it checks for the presence of Qihoo 360 app on the infected device. Qihoo 360 is a popular security app in China which assigns a unique identifier (UID) to every device. Once it detects the presence of Qihoo 360, Android.Spywaller steals the UID and then loads the open source firewall “DroidWall” on the infected device. After that, the malware creates a firewall rule which prevents Qihoo 360 from accessing its servers.

DroidWall is one of the most popular open source firewalls for Android which was initially developed by the independent security researcher Rodrigo Rosauro. Although the product was acquired by Avast in 2011, its old source code is still freely available online. Among other things, DroidWall can be used for creating specific rules for specific apps as well as blocking security apps from communicating with their servers. Although DroidWall was designed for security, the makers of Android.Spywaller have used its source code for malicious activities.

Once Android.Spywaller has compromised the security of a device, it can extract and steal many different types of sensitive data. For instance, the malware can collect SMS messages, call logs, location information, emails, browsing history, contact information as well as other personally identifiable information. Not only that, the threat is also capable of extracting information from third party apps like Skype, Wechat, WhatsApp, BlackBerry Messenger, SinaWeibo, Talkbox, Voxer, Zello, QQ, Coco and Oovoo.

For the moment, the threat perception of Android.Spywaller is low and is restricted to Chinese users. Since many official Google services are not available in China, there is a higher percentage of rooted devices within the country. Symantec recommends installing apps only from trusted sources and using a comprehensive security solution to remain safe from threats like Android.Spywaller.