A few days ago BSkyB apps on the Google Play Store was the subject of an attack by the Syrian Electronic Army (SEA). The apps (APK files) apparently were “hacked” and Sky’s logo and app description was altered. The SEA is targeting many Western websites and mobile apps right now and doesn’t like the anonymous entity much either. This is well known in my security circles.
That said, this attack on Google’s Play Store is worth noting, because it is the SEA’s first attempt at attacking an app market. What actually did happened? Were the apps compromised? The SEA appear to have stolen BSkyB’s developer account password and hacked their Twitter account*.
The SEA were not able to change the app (APK) signing keys though, as the app doesn’t appear to have been “updated” (we’ve downloaded one of the offending apps) – as only the app description and promotional logo image was only changed.
Also worth noting AV scanning engines (we used Avast! and NQ Mobile) didn’t pick up the app was repackaged or re-engineered, so this further confirmed our thinking that the app’s source code hadn’t been altered. In essence this is a very basic attack, which suggests a spear phishing email (using a URL) was clicked on by someone in BSkyB with account access to the Play Store (same as for the Twitter account). Social engineering is easy 🙂
TIP: Developers can generate multiple keys, but this is difficult to do even with developer account account access. I encourage developers to look at using the license option through the app to authenticate. This provides added protection if the master account password is compromised. There are issues with this though i.e. users who downloaded the original app would have to download the app again from a new location. Not ideal I know, but it’s worth considering.
It’s not 100% clear how the SEA actually managed to do this, but one thing is clear, they did. BSkyB took immediate action and removed all their apps.
Update: 31st May – BSkyB apps are now back on the Play Store.
*2-factor authentication would have resolved this (this would also work for more than one person/device too), but it’s important that companies only issue Twitter and Play Store developer passwords to admins – passwords should also be changed monthly for good measure.
Safe surfing folks!