Hacking an Android is getting easier￼
80% of the world’s smartphones use Google’s operating system, and the tools available to break into them can almost be used by a child.
By Parmy Olson
Security experts have long warned about the malware that threatens Android devices, Google’s operating system that is in 80% of the world’s smartphones. In extreme cases, malicious hackers could do more than send premium text messages, they could also turn a phone into a spying tool. That scenario was recently demonstrated at the Black Hat hacker conference, and in one real-life incident, an unidentified company executive unintentionally became a conduit for short sellers to listen in on a board meeting, all of it. thanks to the smartphone in your pocket.
The crackers (intruders who violate the digital security of a computer) had installed a fake cell tower in the vicinity and activated a microphone on their device once the company board meeting began. Shortly thereafter, a group of shareholders sold their stake in the company, earning $30 million. The incident took place last year, according to Gregg Smith, CEO of mobile security company KoolSpan, and is by no means an isolated case. In fact, the researchers say it’s getting easier to take control of certain features of Android devices, like the microphone or camera, with online tools that are getting easier to use.
Security research firm Symantec recently highlighted that a remote access tool (or RAT), known as AndroRAT, was being shared on underground forums and that, coupled with a new tool called binder, allows attackers to extract personal information from a phone. Android.
AndroRAT can retrieve a phone’s call logs, SMS messages and monitor calls, take photos and make calls. Once would-be crackers have downloaded the remote access tool, they can use the binder to integrate AndroRAT into a legitimate-looking application, such as Angry Birds. The binder costs $37 online, while AndroRAT is free and open source.
AndroRAT was first discovered in November 2012, but binder made its appearance more recently, and is key to making it possible for non-programmers to infect an Android device with the malicious tool.
Once they’ve done that, they just upload their infected app to a site and wait for others to download it. Symantec analyst Vikram Thakur estimates that about 50% of downloaded Android apps globally come from third-party sites, and the practice is common in China, where the government has banned access to the official Google Play store. .
Attackers often infect a copy of a paid gaming app and advertise it as free to attract more downloads. “The victim plays the game,” says Thakur, “while the Trojan is doing his job in the background.”
Sometimes attackers just want to steal contact information, which depending on its origin can be highly prized on the black market. Other times they will want the hijacked phone to send Premium SMS. In the latter case, victims may remain oblivious to what is happening until they receive their monthly bill; Trojan horse applications can also intercept operator alert messages and delete them.
Thakur estimates that thousands of people around the world have downloaded AndroRAT-infected apps, though he believes security services and Internet providers will step up efforts to detect the intrusion.
This simplification of mobile hacking tools comes as no surprise to security industry insiders, who have already seen would-be crackers use automated attack tools like sqlmap or Havij to carry out relatively simple SQL injection attacks. to steal user data from websites. Notorious hacker group LulzSec revealed that it used Havij to steal passwords and email addresses from PBS in the summer of 2011, and may also have been used by hacker group Cr3w Cabin to breach a Utah police database. in 2012.
Darren Martyn, a former LulzSec member who now works in information security, says there are parallels between the way accessible tools like Havij, LOIC (a super easy-to-use tool for DDoS attacks) and AndroRAT binder have done more easy for second-rate cybercriminals with no programming skills to infiltrate web applications and now Android devices.
“It’s an emerging problem,” he said. “Even the little ones have access to those tools… irresponsible 14-year-olds with automated attack tools, that’s a scary prospect, not to mention the real potential for industrial espionage and actual crime.”
Georgia Weidman, a smartphone security tester who led training sessions at the Black Hat conference in Las Vegas, said it’s getting easier to break into mobile devices thanks to tools like AndroRAT. For now, cybercriminals can make even more money attacking traditional PCs, simply because there are more machines running Java, a programming language that opens up major security vulnerabilities in the browser. “However, that is changing rapidly,” she said. “More and more malicious apps are appearing in app stores.”
Weidman herself created an Android app cracking tool, called SPF, which was designed to test the security of apps. Similar to AndroRAT, it allowed her to decompile an app and add new functionality, like contact data extraction, before repackaging it to look just like it did before.
Such is the paradoxical world of cybersecurity, yet tools like Weidman’s often end up being used to carry out real attacks. Weidman says that she was recently approached by the government of a developing country and asked if she could create a similar tool like SPF, which would allow that government to infect a popular application with software that would allow it to spy on its citizens. Weidman did not name the government, but said representatives had offered their “a couple of million dollars” for what would have been about two months of work, saying they wanted to use the tool to identify human traffickers and of drugs. She refused.
“It’s not harder to get into on a mobile device,” Weidman said. “The easiest way to access a traditional computer is to somehow trick the user into downloading something, or opening a link in their browser. It’s the same on mobile.”
It doesn’t help that many consumers happily download all the apps they find interesting. Some 56 billion apps are expected to be downloaded globally by the end of 2013, according to ABI Research, earning developers $25 billion in revenue, and who knows how much more for cybercriminals.
Symantec’s Thakur says the steps to keep an Android phone secure are pretty straightforward, and users primarily need to be aware of where they download their apps. Basically, any downloaded application will have to ask the user for permission to access features such as the contact list or GPS location.
“Make sure the app, when installed, only asks for permission for what it’s supposed to do,” he advises. “If the calculator asks to access the contact list, there is probably something wrong there.”