Malware authors have a problem: they want their software to run aggressively when no one is looking at it, but to shut down entirely if the device it's running on is actually in some malware researcher's lab.
So malware authors have a whole host of tricks they use to determine whether they're running on a device in the field, or inside a researcher's emulator where all of their secrets are laid bare. For example, the creator(s) of the Wannacry malware had the program try to reach a nonexistent website (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com).
Malware researchers' emulators usually answer any attempt to research an outside website in the hopes of gaining insight about how the software interacts with its command and control server, so by checking whether the nonexistent website existed, each copy of Wannacry was able to decide whether it was living in reality or trapped in the Matrix. That's why when a security researcher registered Wannacry's nonexistent domain and stood a webserver up at that address, every copy of Wannacry in the world shut down.
A new Matrix-detecting tool in malware has been discovered: strains of Android malware distributed through the Google Play store were found to be using calls to the phone's motion-detector to determine whether it was running on a real phone or inside an emulator. Mobile emulators don't bother to fake data from emulated motion-sensors, so from the malware's perspective, emulators have an unnatural stillness that tips it off to stay hidden.
As with the Wannacry killswitch, this technique won't be hard to overcome, since spoofing plausible data from an emulated motion-sensor is pretty basic stuff. But for now, the technique is very effective (and very clever).
Security firm Trend Micro found the motion-activated dropper in two apps—BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Google removed them once it learned they were malicious.
The motion detection wasn't the only clever feature of the malicious apps. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required command and control server.
"Then, it registers with the C&C server and checks for commands with an HTTP POST request," Trend Micro researcher Kevin Sun wrote. "If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background." The dropper then tried to trick users into installing the app using the fake system update shown below:
Google Play malware used phones' motion sensors to conceal itself [Dan Goodin/Ars Technica]