Android’s seccomp, Lying Snowblind In The Sun

And An Insecurity Corner Smorgasbord Below The Fold

If you are using an Android device then here’s some good news, as of yet researchers have only ever spotted one specific app that has been modified by the new Snowblind vulnerability to infect devices.   That’s the end of the good however, as the only reason it’s not widespread is that attackers aren’t familiar with it, the moment they do familiarize themselves you can expect to see it leveraged far and wide.

Snowblind targets the Linux kernel feature seccomp, aka secure computing, to misdirect it’s ability to perform integrity checks on applications a user is installing.  If Snowblind can infect an Android device, either through the installation of a dodgy app or by utilizing a separate vulnerability it can completely break seccomp.  When you install an app, seccomp checks the APK to see if it has been tampered with, and blocks the app with a warning if it has been modified. 

With a Snowblind infection, instead of seccomp being able to check the actual APK being installed, it can send a bad argument to seccomp and misdirect it to examine an untouched APK while simultaneously installing the APK which has been tampered with.  Check Bleeping Computer for more details on how Snowblind can ruin your day, as well as Google’s current official response to the new threat.

Leave a Reply