BinaryXML format in Android is heavily abused by malware authors

To have a more detailed look at the technical details of this flaw, you can download our White Paper here.

ThreatFabric's analysts observed a rise in numbers for mobile banking Trojans abusing a flaw in the Android source code and the way it processes application files, which allows to install applications with malformed contents on Android devices.

The inconsistency is present in all Android OS versions including the most up-to-date ones. Insufficient checks in the validation of the file format result in invalid applications treated by the operating system as valid, while other third-party validators and parsers treat it as invalid (corrupted). Several malware actors have been seen abusing this flaw, trying to bypass security mechanisms: malicious applications are successfully installed and running on victim's devices, while various cybersecurity solutions may skip the analysis of such application, treating it as "corrupted" and invalid.

This inconsistency is being exploited by Anatsa in its most recent campaign hitting UK and Germany, which was reported by ThreatFabric here. Besides Anatsa, multiple malware families like Hydra, Cerberus, and Alien use this trick to bypass detection by security products. Recently reported Letscall and Fakecalls also exploit this inconsistency but in a slightly different way, showing that multiple actor groups are paying attention to finding mechanisms to abuse in the Android source code.

ThreatFabric has reported the issue to Google. The company stated that Android platform has some leniency in accepting malformed files in APKs to reduce risk of app compatibility issues, thus considering it not a security vulnerability, resulting in no changes in the Android Open Source Platform (AOSP) code will not be changed. 

At the same time, our report did highlight how these could bypass Google's current internal malware detection mechanisms, and they stated that necessary changes were implemented to ensure that those tools are updated.

While writing a blog we spotted another technique used by malware authors to make security tools think that the file is corrupted which is also connected to BinaryXML format.

We decided to disclose the details about the inconsistency within responsible disclosure timeline as it is heavily used by malware actors trying to avoid detection by cybersecurity solutions, thus security providers could take actions on it.

We call out to AV companies, independent researchers, fraud analysts, Android analysis tools developers to check the solutions they are using/maintaining whether they are able to process the issues explained in this blog to ensure the consistent behaviour of analysis tools and Android OS when processing such APKs.

Fraud Risk Suite