The trojan fires an ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS intent in order to circumvent a Doze restriction.
The trojan fires an ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS intent in order to circumvent a Doze restriction.

Authors of the Android.Fakebank.B malware developed a new trick whitelist itself on a users device to stay connected with the attackers.

The latest variant of the trojan horse malware uses social engineering to allow it to bypass Doze battery-saving power-saving feature in Android 6.0 Marshmallow, to stay connected to command and control servers even when the device is dormant, according to a Nov. 17 blog post.

The trojan fires an ACTION_REQUEST_IGNORE_BATTERY_OPTIMIZATIONS intent in order to circumvent the Doze restriction which then triggers a pop-up message asking the user to add the app to the Battery Optimizations exceptions whitelist, researchers said in the post.

If a user falls for the trick and accepts the prompt's request, the malware will be added to the Battery Optimization exception whitelist which would allow it to stay connected to the attacker remote location regardless of whether or not the device is active.

The attack is leveraging a functionality as designed in Android 6.0 Marshmallow in conjunction with user input to whitelist itself and likely won't be patched, Symantec Principal Security Response Manager Brian Ewell told SC Media via emailed comments.

“This whitelisting is only applicable to allowing the connection to a command and control server to remain active if the device's battery is in a particular power saving mode,” Ewell said. “This wouldn't be considered an exploit and would be unlikely to be patched as that could negatively impact legitimate usage of this feature.”

To prevent infection, researchers recommend users keep their software up to date, don't upload apps form unfamiliar sites, only install apps from trusted sites, pay attention to permission requests, install security apps, and frequently back up important data.

The malware made headlines earlier this year for not allowing infected customers to call their bank's customer service departments to cancel cards after the malware compromised their cards.