Android Malware Hides Behind Black Screen

A new variant of Android malware quite literally hides its activities. 'Octo' darkens the screen so that users can't see it stealing data.

Researchers at Threat Fabric say the malware takes advantage of a built-in Android feature called "STREAM_SCREEN". It's not quite a live feed, but remotely transmits around one screenshot a second. (Source: threatfabric.com)

The scammers then misuse an accessibility feature in Android to remotely control the device. The stream screening lets them see what they are doing, despite not having physical access.

Black Screen Disguise

The sneakiest element of the Octo malware is that it uses three tricks to hide when the attackers is doing something on the device. It puts a black overlay on the "top" of the display, sets the screen brightness to 0 percent, and disables all on-screen notifications.

That means that if the device owner looks at the screen, it will be completely blank and look indistinguishable from the normal standby mode that appears when the phone hasn't been actively used for a while. (Source: tomsguide.com)

The attacker then has the ability to do virtually anything the phone user can do, including searching for sensitive data. It appears many users of Octo are installing keylogging software with the hope of capturing user names and passwords typed in by device owners.

Official Store Breached

With this type of malware, the biggest defense is to avoid it getting on the device in the first place. The problem is the attackers are not just relying on people installing applications from untrusted third part sources.

Instead they appear to have succeeded in distributing it in disguise through the official Google Play store. Often this involves an app that appears to perform one function but is actually downloading and installing the malware in the background. In some cases this can defeat Google's attempts to spot malware when vetting apps for the Play store.

While user reviews can be helpful, these can be faked, and in any case the rogue app will often be working as advertised. That means it's safest to stick to known developers and to search online (outside of the Play store) for reviews and references to apps to be more confident they are legitimate and safe.

What's Your Opinion?

Are you surprised malware designers are so (maliciously) creative? How do you decide which apps to install? Do you trust that anything on the official Google Play store is safe?