Gaming the system: tetromino-based covert channel and its impact on mobile security

Trojan droppers consistently emerge as challenging malware threats, particularly within the Android ecosystem. Traditional malware detection approaches focus on identifying payloads upon execution or intercepting malicious downloads from compromised sources. Despite efforts to harden network defenses against such droppers, malicious threat actors keep exploring unconventional infiltration approaches. This study expands on covert channel attacks, proposing the use of gaming platforms, like the classic Tetris arcade game, as a novel vector for malicious payload delivery. Our methodology diverges from conventional network-based attacks by embedding malicious payloads within the game’s Tetromino pieces. Through a custom-made application that masquerades as a benign Tetris variant, we deliver and execute malicious payloads on target devices within 3 to 7 min. This is achieved by combining the Shikata-Ga-Nai polymorphic encoder, an autosuggestion algorithm, and mapping Tetromino blocks to a Meterpreter payload to innovatively deliver malicious payloads via gameplay suggestions. Our work provides a novel covert channel attack which merges gamification with malicious payload delivery. To the best of our knowledge, this is the first study that introduces gamification and autosuggestion mechanisms for payload delivery. We present an in-depth analysis of the proposed attack, along with a number of countermeasures to mitigate such threats, emphasizing the importance of enhanced user awareness and human oversight during dynamic malware analysis.