Security researchers have long maintained that malware is a problem on Android, the Google operating system that’s on 80% of the world’s smartphones. In extreme cases, hackers with malicious intent can do more than send premium text messages – they can turn a phone into a spying tool too.
The scenario was recently demonstrated at hacker conference Black Hat, and in one real-life incident, an unnamed company executive unwittingly became a conduit to short-sellers who were listening in on a board meeting he attended — all possible thanks to the smartphone in his pocket.
The crackers had set up a false, rogue cell tower in the near vicinity, and surreptitiously turned on his device’s mic once the company meeting was underway. Not long after, an organization shorted the stock of his firm and netted themselves $30 million. The incident took place in the last year, according to Gregg Smith, the CEO of mobile security company KoolSpan, and is by no means an isolated case. In fact, researchers say it’s becoming easier to to take control of certain Android device features, like the mic or camera, with free online tools that are becoming more user friendly.
Security research firm Symantec SYMC -0.76% recently highlighted a remote access tool (or RAT) known as AndroRAT being exchanged in underground forums, which together with a new tool called a binder, allow attackers to scrape personal information from an Android phone.
AndroRAT can retrieve a phone’s call logs, monitor SMS messages and calls, take photos and make a call. Once a would-be cracker has downloaded the remote access tool, they can use the binder to package AndroRAT into a legitimate-looking app, such as a game like Angry Birds. The binder costs $37 to buy online, while AndroRAT is free and open source.
AndroRAT was first discovered in November 2012, but the binder has made its appearance more recently, and is key to making it possible for people without programing skills to infect an Android phone with the malicious tool.
Once they’ve done so, they only have to upload their infected app to a third-party site and wait for others to download it. Symantec analyst Vikram Thakur estimates that roughly 50% of Android apps downloaded globally have come from third-party sites, and the practice is common in China, where the government has banned access to the official Google Play store.
Attackers will typically infect a copy of a paid-for gaming app, and advertise it as being for free to entice more downloads. “[The victim is] playing the game,” says Thakur, “and the Trojan is doing its deed in the background.”
Sometimes attackers will just want to steal contact information, which depending on its origins can be highly prized in underground markets. Other times they’ll want the hijacked phone to send premium SMS’s. In the latter case, victims can remain oblivious until they see the extra digits on their monthly bill — Trojaned apps can also intercept warnings messages from carriers and delete them.
Thakur estimates that thousands of people across the world have downloaded apps that have been infected with AndroRAT, though he believes security services and Internet Service Providers will step up efforts to detect the intrusion.
This simplification of mobile hacking tools will come as no surprise to experts in the security industry, who have already seen wannabe crackers use automated attack tools like sqlmap or Havij to carry out relatively simple, SQL injection attacks to steal customer data from websites. The notorious hacking group LulzSec revealed it had used Havij to steal passwords and email addresses from PBS in summer 2011, and it also may have been used by the hacker group Cabin Cr3w to breach a Utah police database in 2012.
Darren Martyn, a former member of LulzSec who is now working in information security, says there are parallels between the way accessible tools like Havij, LOIC (an even easier tool used for taking part in DDoS attacks) and the AndroRAT binder have lowered the bar for second-rate cyber criminals without programming knowledge to subvert web applications and now, Android devices.
“It’s an emerging problem,” he said. “Even the script kiddies have it now… More irresponsible 14-year-olds with automated attack tools is a terrifying prospect, and that’s ignoring the obvious industrial espionage and ‘real crime’ potential.”
Georgia Weidman, a smartphone penetration tester who led training sessions at the Black Hat conference in Las Vegas, said it was becoming easier to exploit mobile devices thanks to tools like AndroRAT. For now, cyber criminals can still make more money from attacking traditional PCs because there are simply more machines that run Java, a programming language widely-thought to have security vulnerabilities, in the browser. “That is rapidly changing though,” she said. “More malicious apps are showing up in app stores.”
Weidman herself created a tool for back-dooring Android apps, called SPF, which was designed to test app security. Similar to AndroRAT, it allowed her to decompile an app, and add new functionality such as scraping contact data, before repackaging it to look as it did before.
Such is the paradoxical world of cyber security, though, that tools like Weidman’s often end up being subverted to carry out real attacks. Weidman says she was recently approached by the government of a developing country and asked if she could create a similar tool like SPF, allowing that government to inject a popular app with software that would let it snoop on its citizens. Weidman wouldn’t name the government, but said representatives had offered her “a couple million dollars” for what would have been roughly two months work, and claimed they wanted to use the tool to identify sex traffickers and drug lords. She declined.
“It’s not any harder to exploit a mobile device,” Weidman said. “The easiest way to get on a traditional computer is to somehow trick a user into downloading something, or open a link in their browser. It’s the same thing in mobile.”
It doesn’t help that many consumers will blithely download whatever apps they find interesting. Some 56 billion apps are expected to be downloaded globally by the end of 2013, according to ABI Research, bringing developers $20-25 billion in revenue, and who knows how much else to cyber criminals.
Google could not be reached for comment on AndroRAT, but the company’s latest blog post highlights three steps for protecting an Android device; one of them is to let Google scan for malicious apps when the phone prompts a user to do so. Another is to set up a lock screen.
Symantec’s Thakur says the steps to keeping an Android phone secure are pretty straightforward, and users should primarily be mindful of where they download their apps from. Crucially, any downloaded app will have to ask a user for permission to access features like the contacts book or GPS data.
“Make sure the app, when installing, is only requesting permissions on the phone for what it intends to do,” he says. “If the calculator is asking to read your e-mail, there’s probably something wrong there.”