Making Android Malware in a Limo

Websense invites us into its lab in a limo to show us how quick it can make Android malware whilst on the move

Have you ever jumped into a limo only to realise it was doubling up as a security lab? No? We hadn’t, but today TechWeekEurope did just that, getting into the back of a somewhat seedy vehicle, complete with blacked-out windows, vinyl seating, swirling disco lights embedded into the roof (see left) and two researchers looking, and probably feeling, awkward.

The limo was hooked up with a 3G hotspot and a widescreen TV too, but our hosts, Websense, weren’t showing what they would do if they replaced Xzibit’s crew on Pimp My Ride. There was a purpose to these shenanigans: mobile security. A tenuous link? Perhaps, but Carl Leonard, security research manager at the firm, showed what a particularly indulgent and wealthy hacker could work on whilst sipping on Cristal and tucking money into strippers’ G-Strings.

Soho security

As we took off from TechWeekEurope’s Soho headquarters for a brief trip around London on a balmy spring afternoon, Leonard demonstrated how a malicious Android app could be created in just 10 minutes. Bringing up an Android Eclipse SDK on the LCD screen, he produced a fake antivirus app in super quick time, cunningly calling it Awesome AV Scanner. If it’s called Awesome, who wouldn’t download it, right? It looked relatively convincing too, what with its star rating feature and the option to register the service. Once the user clicked on that register service, the app would crash.

“This gives us a brilliant opportunity to inject whatever we want, like malicious downloads maybe from a third-party marketplace or from some other location,” Leonard said. He then moved to create a new malicious app, which looked the same but would seek to acquire data by duping the user within the application.

“All I need to do is create a new script that utlises the registration click feature. All I’m using is preset environments and functions within the Android SDK. As a prerequisite for this demo, I got hold of some open source software that’s freely available, anyone can do this,” he added.

Appy travels

The second rogue app lets people go through the registration stage – possibly hoping this new app would be better than the one that crashed – where they will be asked for a password. Once they’ve done that, they’ve most likely handed over the keys to their other online services, like internet banking and email accounts, given how slack many are with their web identities, Leonard said.

If a hacker could get both apps onto a user’s phone, there would be serious repercussions for whoever their employer was too. Getting one nasty app on a user’s device can mean information held by other apps is under threat. “Now we’ve got a foothold into their environment. These things offer an open door into corporate security networks,” Leonard added. “My application can now be parsing the phone, I can look at all of the APKs [application package files]  that are installed and then I can find the ones I’m interested in and get hold of additional pieces of data from other apps.”

There are other things slimy, nouveau riche cyber criminals can get up to when on the move. As we made our way along the bumpy Soho streets back to the office, we discussed setting up a honeypot access point for people to sign onto, tracking their activity with tools like Cain & Abel to pick up passwords.

“You can get code that sends out a fake access point, you do wonder if you could send out several million,” hypothesised Leonard’s co-worker Spencer Parker, group product manager at Websense.

Leonard proffered another idea. “I’ve heard of people driving very slowly past hotspots to pick up people’s credentials,” he added. Isn’t that what Google did, albeit accidentally, not so long ago? It seems there are multiple dimensions to the term “mobile security”.

Anyway, if you’re a minted cyber criminal who likes the smuttier, more lavish things in life and your hacking vehicular, get yourself a limo, a couple of hotspots and start stealing data in luxury.

DISCLAIMER:

TechWeekEurope would never advocate or condone data theft. Even if done in a cool way, with 50 Cent blasting out of your subwoofers and neon lights reflecting off your bling. Innit.

Want to have your own lab limo? See if you have enough security knowledge with our quiz.