zondag 28 juni 2015

Fighting Android insecurity FUD

This week Dutch newspaper Volkskrant warns against a severe leak in Android that enables attackers to install software on an Android device without consent of the user and without even touching the device. The journalist of the Volkskrant wrote an article about some Dutch scientists who claim to have discovered a leak in Android security. They posted their findings with a demo of the leak in a video (that till this day can be downloaded here: https://drive.google.com/file/d/0B73YUDeOq3OWTG93enVYVWN3TXc/view?pli=1).

The video shows some convincing and exciting insights in the hack. From an infected webbrowser the scientists install malicious software on a cell phone using the browser version of Google Playstore, thereby enabling all sorts of abuse on the phone. In the video you see some very alarming demonstrations and scenario's: abuse of Paypal-accounts, the option of reading SMS-messages, e-mails, etc.


The issue exists because of the tight integration between all Google services, from Gmail to Play Store, and that extends to Android devices. This integration is based on the fact that all Google services are bound to one Google account. The scientists show that using a stolen gmail account, an attacker could upload malicious software to an Android device using only the play store web front end, without touching the device itself. The user takes action on behalf of the attacker, by activating the malware, thereby opening up the device for the attacker.


The scientists end their performance with the statement that you should build security into a product, instead of building security on. This statement stems from their claim that they reported the issue to Google, but that they never got a reply. Anyway, all major Dutch media posted the item as well, Android is a big risk.

If I were a scientist or a journalist, I would check the facts before posting these statements and ask some questions first. My Questions would look like this:
How does a Google account get hacked?
The scientists claim that a Man in the Browser attack could be used, but they never say how, when and why. I believe it could be done, but the first conclusion must be: this Hole, or whatever it is they found, can only be done if a google account is stolen, by whatever means. This clearly is not an Android problem. If a Google account is stolen, there are more problems than just uploading malware.
But when you think further, the first and foremost issue is the fact that if a browser gets infected with evil code, an attacker controls that browser (and sometimes more) which means that people who use online banking, Paypal, read their e-mail through a browser or shop online can expect an attacker to harvest all data. And yes ... obviously use all sorts of logins for evil purposes: Twitter, Facebook, Microsoft and of course Google. This isn't new. Investigative journalist Brenno de Winter (@brenno) demonstrated this a year ago and he explained how you can abuse such a weakness. In his case he used a KLM-domain that the company had forgotten [http://www.nu.nl/internet/3733033/vergeten-klm-domein-opende-weg-phishing.html] (Dutch). The server the domain name pointed to, was vulnereable to all sorts of attacks. This way an attacker could install webpages filled with malware, make look-alike (phishing) websites, etc. Using freely available tools the journalist created a fake Google-loginpage to harvest credentials or use the credentials that the malware harvests. Then he installed Cerberus App [http://www.cerbereusapp.com/] on the Android device. With this software you can control the phone, read SMS-messages, record audio, record video, take pictures and even worse: you can hide the app from the drawer. So the user won't notice he is being spied on. This looks remarkably like the new leak by the scientists. New? No way. Science? No way. Is this an Android, or Google issue? No way.
How does the malware get installed on an Android device?
The scientists claim that you can install malware on an Android device using Google Play services. This clearly is not the case. There is (almost) no malware on the Play store. Google security controls towards Play Store are so strong, that malicious software can hardly be published. Repackaging regular software with a malicious load and uploading it to Google Play store is not feasible.
So, no Android issue here either.
Will Android users activate software on their device?
Who knows. People are curious and not always security aware, they might just install malware. For an atacker to create a business case for this scenario is not realistic.
But again, this is not an Android issue, as all phishing tests prove.
How is the tight integration on other platforms?
Microsoft and Apple use the same kind of integration on Windows Phone and iOS. I have no experience with those platforms. The differentiator is that these platforms don't have remote push of apps. The vulnerability may be different from Android.
This Android feature could be a risk.
Is there no work-around, what should end users do to prevent compromising of these leaks?
No idea, science gives no answer... And the journalist doesn't show any hints either.


Did you examine this exploit on your own systems? Because criticising scientists and journalists without evidence is only too easy...
Here I go: I installed a new browser on my Windows PC (in order to be able to act as an attacker).
Next I browsed to play.google.com and behold, all apps are visible.
Next I logged into Play service using my single Google account.
Yes, logged in, almost... the Google two factor authenticator function popped up, reporting it sent a text message to my mobile device...



My bad, I'm not a hacker, I failed miserably. I could not login to google play services without entering the text message on my mobile phone. I could not even push regular software from PlayStore to my device. Oh no, I am not a scientist or journalist, I couldn't replicate the findings, I can't exploit the Android leak as an attacker. Or... is activating 2 factor authentication enough to mitigate the risk?


So, dear scientists and journalists, before posting FUD, please investigate the problem, not the symptom.  If you claim that there is a vulnerability (not even a leak), do so from different perspectives. First check the facts. Then check if the issue is new. Then doubt your own findings. That's science. That investigative journalism. If you don't, you just create FUD.


Disclaimer: I'm not an Android user.