Proof-of-concept Android exploit shows ease of attacking mobile devices

It’s wasn’t clear to me whether the tainted Angry Birds expansion pack for Android phones that appeared in Google’s online app store this week was the work of a white hat researcher or a real attacker.

Turns out this was a white hat proof-of-concept exploit, and no active malware was ever put out there in the wild.

Scio Security researcher Jon Oberheide discovered the vulnerability while poking around Android. He created the proof of concept application — disguised as the Angry Birds add-on — and made it available in Android Market, on Wednesday, 10Nov2010.

Oberheide’s faked app was only in the market for about six hours before Google removed it, Oberheide told LastWatchdog. Oberheide named his  three faux-malicious installs “Fake Toll Fraud,”  “Fake Contact Stealer” and “Fake Location Tracker.” If this was a real attack, anyone who downloaded the bogus expansion pack would have gotten these malicious programs installed on his or her Droid.

Fake Toll Fraud could have made arbitrary phone calls and send SMS messages that could result in toll charge. Instead, the victim saw this screen:

Oberheide doesn’t have any concrete stats but he guesses that maybe 100 or so folks installed his faux-malicious app. The vulnerability he discovered and tapped has not yet been patched by Google.

“I’ve been communicating with Google’s security team and they’ve been extremely responsive,” says Oberheide.”They’ve developed a fix for the vulnerability and I’m told that it will be rolled out to the affected devices soon.”

Here is an exclusive LastWatchdog interview with Oberheide about the current state of the ripe, but as yet relatively untapped smartphones/mobile devices attack vector.

LW: So this was a proof of concept deal all the way, and no malicious code was actually every posted by you, or any attackers for that matter.

Oberheide: I’m not aware of any use of this vulnerability by any malicious apps in the wild.

LW: Overall, where are we in the progression of whitehat and blackhat researchers flushing out zero-day vulnerabilities in iPhones, Droids and Windows smartphones?

Oberheide: Still pretty early, in my opinion, which is part of my personal motivation in investigating these platforms. We need to shake out these vulnerabilities and do much more to harden mobile platforms now to be in a better position when attackers actually start putting some non-trivial effort into targeting these platforms.

LW: How often are fresh vulnerabilities being discovered?

Oberheide: While there’s occasional vulnerabilities found specifically in the mobile platforms/applications themselves, I’d estimate the majority of vulnerabilities that affect the mobile platforms are in third-party code that are the same code that we use on our desktop systems. For example, many bugs that are discovered in Safari and Chrome also end up affecting the Android web browser since they’re all based on the WebKit engine.

LW: How good a job are each of the vendors doing keeping up with patches?

Oberheide: Patching is without a doubt the biggest issue with mobile security today. It’s a double whammy: vendors often fail to stay up to date with patches that are affecting components on their mobile platforms (eg. the WebKit example), and carriers are extremely conservative in pushing out OTA patches and risk potentially bricking millions of phones if something goes wrong.This lack of effective patching results in a significant window of vulnerability for the mobile handset.

LW: Are Android smartphones becoming more in focus by whitehats and blackhats, due to Android overtaking iPhones as the most popular platform?

Oberheide: Attackers are mostly financially motivated so they’ll target whatever platform results in the best monetization of the attack, whether or not that is directly correlated with market share. I think there’s a lot of focus by researchers on Android since there’s a relatively low barrier of entry to start poking around. Most of the code is open source and it’s based on a Linux, a commodity OS most hackers are already familiar with.

LW: And what about iPads and tablets in general? Where are we in terms of the curve of whitehats and blackhats paying attention to this emerging attack vector?

Oberheide: Again, I think it’s mostly driven by monetization. Attackers will take the path of least resistance and most reward. Attackers are continuing to make money hand-over-fist targeting our desktop systems so there’s not a ton of motivation to change up tactics, investigate a new mobile platform, and develop new tools and exploits.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone