Mobile Security: The Inside Job

This was going to be a comparison of major phones, breaking down some of the exploits and weaknesses.  I was potentially going to compare IOS to Android and throw fuel onto an already raging fire amongst smart phone enthusiasts which is, if you’re listening to a podcast, all of us.   Maybe you’re not a geek or a gadget nut but you’re probably far more dependent on that device that you may realise.  You’ve probably never really put a great deal of thought into how much of YOU is locked up in that phone.  You might even have a Kanye-West style pin code like 000000 to unlock it (if you didn’t see the article I posted on the Codifyre Facebook page about the worst passwords and pin-codes of 2018, it’s worth a read.  Kanye tops the bill.

Let’s start with what’s in your phone.

  1. Your contact list – essentially everybody you know but more importantly, people that make it into the contact list are likely people and phone numbers that you trust.  If somebody calls you from one of these numbers then it’s likely you’ll pickup.  Unless it’s that dodgy Uncle in which case, he’s in the phone specifically so you can NOT answer the phone.  We’ve all got a few of those.  But more importantly, this is a curated list or a short list of what you may have in your Facebook profile.  Facebook is like a collection of people you’ve met at some point.  I’ve got a guy in my Facebook friend list I met at a black jack table in Las Vegas once.  That’s pretty tenuous. 
  2. Access to your email – I’m guessing most people with a smart phone use it for email.  That, and the ability to surf the web, are kind of the basic smartness of it being smart.  Otherwise it’s just a “camera phone”.  Remember when we called all smart phones camera phones?  That feels like a million years ago.  Your email has a lot more than you might think.  It’s got another list of contacts you likely trust.  It’s also got emails from service or brands that you subscribe to.  Mailing list emails that indicate your buying preferences and again, domains that you trust.  One of the biggest hazards of you email is that you probably use your email to reset your passwords to services like your phone or internet supplier, your electricity, Facebook, you’re banking login, you can now use your imagination to think about any other service you use that email to login to.   It’s staggering.  
  3. Your text messaging – You might be thinking… ok so what’s the problem with that?  I’m not texting illicit messages or engaging in spy stuff so it’s all just vacant messages about grocery lists and meet ups with friends.  No worries right?  Unfortunately it’s also likely that you may use your phone as a two-factor authentication (or 2FA) method.  You know how you can use email to reset your password?  The smart thing to do there would be to have a two factor authentication setup so that it uses another method to verify you are who you are.  The most common method is you use your phone.  That downside is that you probably use your phone to access email more often than your laptop computer so essentially, if I have access to your phone, I have your email and I have your two-factor authentication as well.   It’s pretty pointless. 
  4. The rest – Your personal photos to your saved passwords because you used the built-in password storage mechanism instead of something like Lastpass to hold password.  You might even have a note taking program where you’re written down password or pins in case you forget.  

Your phone has essentially become a single point of weakness for your entire identity.   


The first port of call for authentication is go back to the 3 types of authentication.  They are

  1. Something your know ( a password, secret question )
  2. Something you have ( the phone itself (this is the theory behind that 2FA text message), or an RSA key fob for work)
  3. Something you are ( fingerprint or facial recognition )


There are problems with all of these. 

  1. Something you know, you can forget.  That’s why password reset mechanisms exist but what you don’t know is that while web applications are very good at creating secure logins, they tend to forget to make the password reset just as secure.  Many an account take-over has started with the password reset.
  2. Something you have, you can lose.  I feel I’ve already poke a few holes in that one.  If you are using the something you have to access the service then it negates it’s own security as a 2nd factor of authentication.  Also, you can always lose an item you have. 
  3. Something you are, is immutable.  This is the best method of authentication.  You can neither lose or forget your fingerprint or face and ideally, unless we’re in a Mission Impossible film, nobody can get it from you.   Technologies surrounding these methods are improving rapidly but there is always the possibility that Nation States are also working on ways to imitate or circumvent these as well.  If somehow a finger print or facial recognition became compromised, we’ll you’re pretty stuffed because you can’t change it like a password.


How could somebody get access to your phone then?  Outside of the obvious, leaving your phone unattended while you go for a tinkle without locking it.  That usually only results in your “friends” posting on your Facebook page a friendly message about you deciding to marry your brother or other wacky hijinks.  What I’m suggesting instead is an inside job.

The puppet in this criminal masterstroke is unfortunately, you. 

 
One of the biggest differences between Android and IOS is that Android allows you to load apps from somewhere other than it’s official Google Play store.  There are are enough of these alternative stores offering “free” apps that there is an article on Medium (there are many more of course) listing the top alternatives (https://medium.com/pen-bold-kiln-press/best-google-play-store-alternatives-30c759de1c26).


In this podcast I’m going to focus on one particular piece of malware which brought together many of these security elements into one big bypass to steal money (and the potential for so much more) from Android users.  Only this month (Dec 2018) yet another free app was released on an alternative app store called “Optimization Battery”.   Sounds like something you might download if you’ve got an older phone with battery issues.  That would probably be most of us.  Here’s how this inside job played out…

  1. You downloaded it.
  2. It asked for permissions to the phone that you don’t understand and you click ok to grant them.  The permission it asked for in this case was “Accessibility”.  An inocuous sounding permission which far reaching powers.  This has access to screen taps and OS interactions which are not dissimilar to keyboard and mouse access on your laptop.
  3. You accessed your Paypal account via your phone. 


The app waited in silence for this moment.  It didn’t hijack your password or 2FA details but instead waiting for you to be “safely” logged into Paypal before it proceeded to try and transfer 1000 of your chosen currency away.  There’s a fantastic video of it in action on the blog which shows in one short moment how pointless two factor authentication via phone is and how quickly this malicious application could emulate the required clicks to instigate this transfer before you could stop it.  In the video the paypal account in question didn’t have enough money so it doesn’t work. 

https://youtu.be/yn04eLoivX8

Personally I think they would have been more successful being slightly less greedy.

What else could have been possible simply by granting access to a single permission?  

  • Clickjacking:  Overlaying different pages when starting other apps that trick the user into handing over credentials or card details (Banking, Email, Ecommerce)
  • Intercept and send SMS messages; delete all SMS messages; change the default SMS app (to bypass SMS-based two-factor authentication)
  • Obtain the contact list
  • Make and forward calls
  • Obtain the list of installed apps
  • Install and run apps
  • Communication with an outside control centre


This application completely owned the phone.

This application completely owned the phone.  Could that have happened on IOS.   No.  That’s the easy answer.  The reality is, there is probably a way but it falls into the highly unlikely category because of the closed system that Apply uses to secure the applications that are offered from their one store.  You might think that Apple is a corporate monster luring you into their web and making you depending on a single supply for your tech needs.  Well yes there’s that but also, it brings a significant benefit in it’s security. 
Download apps from a 3rd party app store probably sounds a bit rogue and I’m sure provides access to all sorts of amazing apps that don’t make the Google Play cut.  As you can see though, attackers are specifically targeting these alternatives with a cacophony of malicious, too good to be true, free apps.  Tread with caution.


attackers are specifically targeting these alternatives with a cacophony of malicious, too good to be true, free apps

 
The good news is that Android security vulnerabilities and malicious apps are going down as Google tightens up the ship on security.  However in 2018, despite having fewer detections of malicious code, the number of new variants for Android continues at around 300 new samples monthly.   In fact the number of straight up Android OS security vulnerabilities in the operate system itself in 2017 was over 800 with 355 being considered critical enough for an attacker to achieve malicious execution of code.  
One the key factors which makes this dangerous is that the Android OS is open source.  Anybody can download and build the OS which means anybody can find out how it works.  And people do.  Both good guys and bad guys.  IOS isn’t off the hook though.  In 2017 IOS had just under 400 (half of Android) security vulnerabilities of which only 60 were considered critical.  


Known vulnerabilities are a critical problem as they tend to be… well… known!  That means unpatched devices using the older OS versions are ripe for malicious attacks.  Add to this the open nature of the application eco-system surrounding Android and it become quite opportunistic for the baddies.  


One does wonder if the considerably smaller number of reporting IOS vulnerabilities is down to Android being an open source OS and therefore having more people having inside knowledge of it’s workings than IOS or whether it’s truly less secure.  


I’ll add with regard to IOS, many of the vulnerabilities we hear about are by design.  What do I mean by that.  There is a great video on youtube by researcher  Jose Rodriguez, who shows how you can gain access to an iPhone’s contact list without authenticating.   It’s an entertaining and bizarre path he takes to accomplish it but still, a major problem and not something that, in terms of risk, would be achievable without having the phone in your hands.  What I’m trying to address in this podcast/blog is how to be both aware of how access to your phone can lead to a security catastrophe and how we can be better at being more secure.https://youtu.be/ojigFgwrtKs


Only download apps from the Google play store


Advice…  Only download apps from the Google play store if you’re using Android.  It’s tempting to feel like a pirate and go roaming around some of the alternative store but know that it’s far more risky.   Consider that in 2017 Google removed over 700,000 malicious apps from their store and that’s meant to be the low risk application store.  Additionally Google added in 2018 their Google Play Protect to auto-scan apps right in the Play store.  However, that has largely be labelled as a nice effort but still no substitute for an on device scanner like Sophos or Avira offer. 


What is the verdict?  Let’s be clear, there is no “perfect” in terms of mobile security.  Both OS’s have issues but it’s the ecosystem combined with the demographic of those using Android that introduces critical risk.  Greatest at risk, are those using older Android phones without fingerprint technology and older OS revisions for affordability reasons.  For the same reasons they may fall victim of downloading malicious apps from non Google Play stores leaving them highly vulnerable to high impact security breaches.


Android still have a long way to go to reach the security of IOS but it’s on the right path.  Users of Android simply need to be more savvy as the platform continues to be an active playing field for hackers.


References:

https://www.welivesecurity.com/2018/08/29/semi-annual-balance-mobile-security/

https://medium.com/pen-bold-kiln-press/best-google-play-store-alternatives-30c759de1c26

https://www.zdnet.com/article/android-malware-steals-money-from-paypal-accounts-while-users-watch-helpless/

https://www.theverge.com/2018/1/30/16951996/google-android-apps-removed-security-2017

https://www.tomsguide.com/us/android-antivirus-av-test,news-26648.html

Total 0 Votes
0

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

About The Author