A week after it revealed how Android malware uses the "target_sdk" attribute to bypass security features on Android Marshmallow (6.0), Symantec is now presenting technical details about two other methods used by crooks to skirt Android's defensive features once again.
As before, the culprits are the Android.Bankosy banking trojan and the Android.Cepsohord click-fraud bot, whose authors are apparently scouring GitHub projects for tricks on how to get a list of active processes (running tasks).
Discovering the list of active tasks is critical to malware creators since it allows them to sniff out the user's current applications and show a malicious phishing overlay on top to collect login credentials.
Previously, in Android versions before Lollipop (5.0), crooks performed this action with the getRunningTasks() API call, which was removed in Lollipop and subsequent versions.
