My readers will already know that Android devices are targeted by malware authors. With an eco-system built on open source (or should that be “open season” :)), it’s not surprising that simply re-packaging an app can evade Google’s Bouncer and App Verify security mechanisms.
At DefCon a researcher has recently confirmed our own internal research, that developing a proof of concept app that steals users credentials/data and deploying to the Play Store is actually easy to do. When you sign in with a Google account on Android, it uses a feature called “weblogin” which generates a unique web token that allows you to authenticate with Google websites and services using Google accounts already pre-configured on your collection of devices.
Weblogin is useful, especially when you use Google websites and services on multiple devices. The DefCon researcher repackaged a genuine app and published the app on the Play Store with a clear description highlighting the app was malicious and should not be installed. The app would ask for permissions to find local accounts on the device and then use those accounts it finds to access the network, which then displays a prompt to ask you permission to access a URL (in this instance finance.google.com) that uses “weblogin”. The app will then log you in and send your web token to the remote server (see below for further information).
There are two scenarios that can occur with this proof of concept (see bootnote)
Non-rooted device: Given the app presents a prompt (which uses the standard Android API), most users will accept the request and without their knowledge a weblogin token is generated which allows the user to automatically sign in to Google services. Unknown to the user, the token is transmitted over an encrypted session to a remote command and control server. The weblogin token that has been compromised can now be used by an attacker to compromise all the Google services used by that user.
Rooted device: If the device is rooted, it would be possible to gain root privileges on the device, which would mean the token would be uploaded without a user prompt being shown.
The repackaged app actually stayed on the Play Store for about a month and was flagged by App verify as “spyware”, but the vulnerability had already been exposed and could have left many users with a malicious app on their Android device.
Safe surfing folks!
Bootnote: Mobile AV scanning engines failed to detect this repackaged app as malicious