Mobile banking Trojans abuse Android BinaryXML format to avoid detection

Android BinaryXML format is heavily abused by malware authors

According to ThreatFabric's analysts, there has been a rise in numbers for mobile banking Trojans abusing a flaw in the Android source code. It leverages the way Android processes application files. This allows malware authors to install applications with malformed contents on Android devices.

The inconsistency is present in all Android OS versions including the most up-to-date ones. Insufficient checks in the validation of the file format result in invalid applications treated by the operating system as valid, while other third-party validators and parsers treat it as invalid (corrupted).

Several malware actors have been seen abusing this flaw. Malicious applications are successfully installed and running on victim's devices. This inconsistency is being exploited by Anatsa in its most recent campaign hitting UK and Germany, which was reported by ThreatFabric here. Besides Anatsa, multiple malware families like Hydra, Cerberus, and Alien use this trick to bypass detection by security products.

For more information we have a full detailed report available for you here.

Obfuscated Samples