An extremely creative form of malware on Android devices uses motion sensors to help stay undetected. It's designed to combat one of the key methods used by malware scanning tools.

Trend Micro says it found the malware hidden in two Google Play Store apps named "BatterySaverMobi" and "Currency Converter," which claimed to provide functions as their names suggest. (Source: arstechnica.com)

Once installed, the apps downloaded malware in the background, then used a fake system update message to trick the user into giving permission to install it. The malware, named "Anubis," then used a combination of keylogging (recording what the user types in) and screenshots to try to capture login details for sensitive accounts and apps such as online banking.

Malware Checked Movement Sensors

While all these techniques are sadly all too familiar, Trend Micro said it uncovered a creative method to hide the malware activity from security software. (Source: trendmicro.com)

The researchers noticed the code for the malware included checking for data from the phone's motion sensors. If it detected signs that the phone was not in motion, it paused all activity until the phone was moving again.

It appears the idea was to get round security tools that use sandboxed emulators to examine suspicious files. That means they simulate the phone's activities to see what happens when a file runs, but don't actually allow the file access to the rest of the phone during the simulation.

Cat and Mouse Game

The malware creators appear to have reasoned most malware scanners operate while the phone isn't moving (assuming that the user is walking). That could be because the user simply has it in their pocket, because they are holding the phone while actively running a scan, or because the scanner runs at night time to avoid disruption. Instead, the new malware waits until the phone is moving, which makes it less likely a scan is running.

It's a reminder that security will always be a cat and mouse game between malware creators and security tools. In this case, the best defense would have been to avoid installing the rogue apps in the first place.

That's easier said than done, of course, but one good tip is to be wary of apps from unfamiliar developers. Another is to check through reviews carefully: the apps in this case had high ratings but the reviews had some grammatical errors which suggest they were fake or automatically generated.

What's Your Opinion?

Are you surprised malware creators are so creative? How do you vet apps before installing them? Is it safest to avoid getting apps from unknown developers at all?