430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Malware

Windseeker spyware app implements advanced injection and hooking techniques

Security experts at Lacoon Mobile Security detected a malicious app dubbed Windseeker which uses rare injection and hooking techniques to spy on users. Windseeker is a malicious Android app which attracted experts at Lacoon Mobile Security, the principal characteristics of the app are its injection and hooking techniques used to spy on mobile users. The techniques are rare […]

Windseeker spyware app implements advanced injection and hooking techniques

Security experts at Lacoon Mobile Security detected a malicious app dubbed Windseeker which uses rare injection and hooking techniques to spy on users.

Windseeker is a malicious Android app which attracted experts at Lacoon Mobile Security, the principal characteristics of the app are its injection and hooking techniques used to spy on mobile users.

The techniques are rare in the mobile ecosystem, Windseeker runs on rooted Android devices and allows attackers to spy on popular instant messaging apps in China, WeChat and QQ.

The discovery is anyway, worrying as remarked by Avi Bashan, CISO at Lacoon Mobile Security, who explained that these kind of threat could be used to spy data of any other application.

“While this tool is intended for use in China due to the intended targets as Chinese instant messaging apps (WeChat and QQ) and monitored chats being in Chinese, it’s important to understand that this type of threat could be implemented anywhere.” wrote Bashan in a blog post.

As usual happen, such kind of malicious apps is distributed through third-party app marketplaces, the installation of Windseeker needs attacker has physical access to the Smartphone.

Windseeker spy on apps

Differently from other mobile apps used to spy on users, Windseeker implements injection and hooking techniques instead steal data from device memory neither from its file system.

The injection mechanism has two different phases, in a first step the app deploys a native file that uses the ptrace process, and that is also used to inject a second file  into the targeted instant messaging app. In the second stage the injected native file loads a java file that allows to monitor messaging app activity through the API hooking.

“Hooking over an API code means that every time the app calls to the API, instead of going directly to the system, [data] is intercepted by [the attacker]. When it’s on the device itself, it’s called ‘hooking;’ when it’s over the network, it’s called a man-in-the-middle attack. PC malware has done this for years.”

“This kind of hooking technique is not common in the mobile area. Up until now, commercial mobile surveillance apps usually obtained an app’s data through the file system or through a memory dump.

This hooking technique marks a new step in the evolution of malicious activity in mobile, which resembles the way PC-based malware has also evolved over the years. It’s only a matter of time until we see these adopted techniques become widespread and move into general mass-targeting mobile malware.”  states the post.

Protect yourself:

  • Avoid rooting your mobile device.
  • Avoid installing applications from untrusted third-party app marketplaces.

Pierluigi Paganini

(Security Affairs – Windseeker, mobile)