A novel banking malware strain known as Snowblind is currently targeting Android mobile devices in Southeast Asia. This malware utilizes advanced techniques to evade detection and compromise sensitive information on banking apps.


Snowblind exploits the Linux kernel feature “seccomp” to disable the detection of malicious modifications in banking apps. By using accessibility services [2] [3], it gains access to sensitive information, hijacks banking sessions [2], disables security features [2] [3], and exfiltrates personal and transaction data [2]. Additionally, Snowblind can bypass two-factor authentication (2FA) and biometric verification methods, increasing the risks for victims. The malware spreads through malicious apps from unofficial sources and manipulates the app to avoid detection of accessibility services. It installs its own filter to intercept and modify system calls [2], making it difficult to detect and trace any code relying on system calls [2]. Researchers stress the importance of app developers protecting against this technique to prevent widespread use by threat actors. Promon has updated its Shield software to defend against Snowblind attacks [1], highlighting the growing cyber threats in the region [1]. Snowblind’s use of seccomp-based techniques opens up possibilities for a wider range of attacks [1], posing a significant concern in the cybersecurity landscape.


Snowblind’s sophisticated tactics pose a serious threat to Android users in Southeast Asia. It is crucial for app developers to enhance security measures to prevent such attacks. The proactive response from security companies like Promon underscores the importance of staying ahead of evolving cyber threats. As Snowblind demonstrates the potential for more advanced attacks, vigilance and continuous improvement in cybersecurity practices are essential to safeguard against future threats.


[1] https://me.pcmag.com/en/security/24349/new-snowblind-banking-malware-targets-android-users-with-linux-kernel-exploit
[2] https://www.infosecurity-magazine.com/news/novel-banking-malware-asia/
[3] https://www.darkreading.com/remote-workforce/snowblind-tampering-technique-may-drive-android-users-adrift