Kevin McNamee stands in front of his laptop on a low stage, a phone in his hand as he scrolls through a program showing his phone’s screen, magnified on a projector screen beside him.

Bits of code start flashing up the screen as he injects command-and-control malware into the command window of the app for Rovio Entertainment Ltd.’s trademark game, Angry Birds – transforming the app into a new version he’s dubbed “Very Angry Birds.”

“And here we go,” he says, frowning down at the screen as he begins to run the new app.

McNamee was presenting at Sector 2013, a conference on all things IT security held in Toronto from Oct. 7 to 9. The director of Kindsight Security Labs at Alcatel-Lucent Canada Inc. in Ottawa, McNamee wanted to show how simple it is to use an Android software development kit to add in malware.

(Image: Rovio Entertainment Ltd.) Some versions of the very innocent-looking Angry Birds could have malware injected into them.
(Image: Rovio Entertainment Ltd.) Any Android app, including the very innocent-looking Angry Birds, could have malware injected into it, says McNamee.

When a user downloads a malware-infested version of the app, he or she is asked to sign off on all kinds of permissions, like access to contact lists, the camera, and so on. If a user carelessly checks off ‘yes’ on all the options, the app is activated with a piece of malware called “Droid Whisper,” and the hacker who wrote it now has access to the phone owner’s contact lists, location, messages, camera, and microphone. That means someone can remotely listen in and record phone conversations, send messages to the phone owner’s contacts, and even take pictures from that phone.

This process can work by injecting malware into basically any Android app by using its application package tool, and it just runs as a service in the background, McNamee said.

“The reason we built this was to demonstrate it was possible … We basically have complete control of this phone. Anything you can do programmatically to the phone, you can do with this,” he said, adding his team had never released the source code, but it wouldn’t be too difficult for a developer to run this script.

“I can now take that, and that is a version of Angry Birds that looks just like Angry Birds, it behaves just like Angry Birds, and as far as I can tell, it is Angry Birds, but it has my entire spy phone functionality in it … It’s brilliantly simple to program.”

For McNamee’s team, the hardest part of the programming process was working with the phone’s camera – after all, any user might become suspicious if a camera suddenly started taking pictures and making shutter noises.

While this seems like something that James Bond would have only dreamed of three decades ago, McNamee said spy phones have been around for a while, even on the consumer market. Some people have an appetite for spying on potentially cheating spouses, or for checking in on the locations of their children and loved ones.

But putting all of the fun of building an espionage-enabling phone aside, McNamee said, one of the biggest problems is that Android developers aren’t required to verify their identities when they create apps.

While they do have to generate a signed certificate, any Android developer can easily sign off on an app, without any other levels of verification. There’s no way to really know who created an app, he said.

“There’s no value from a security perspective, but it’s fine. Android apps are routinely signed with self-signed certificates all the time,” he added. “And I think in the Android space, the fact that it’s easy to hijack an application like this is a huge oversight in terms of the security posture.”

“The signature verification process should be more vigorous. You don’t have this issue on the iPhone because at least on the iPhone, you need to be certain it came from Apple. At least you need a name.”

While anti-virus companies would probably be able to detect this right away, it would still take a few days before anyone noticed this kind of app had been released – and by then, many people might be lured to download it, McNamee said.

And unfortunately, there isn’t too much legitimate app developers can do to avoid having their apps hijacked, he added. There are some obfuscation tools out there, but beyond that, he couldn’t foresee what else might prevent hackers from easily creating malware and hiding it within a real app.

Still, on the consumer side, Android users can protect themselves by ensuring they only download apps from known sources like Google Play, or from their mobile service providers.

McNamee also encourages consumers to download mobile anti-virus apps, and he said small businesses should prevent employees from logging onto the company’s production network using their own devices. Instead, they can create a separate public Wi-Fi space for their employees’ smartphones and tablets.

Alcatel-Lucent also has products for network-based malware protection, an extra layer provided through mobile carriers.

Share on LinkedIn Comment on this article Share with Google+
More Articles

  • http://www.grouptravelodyssey.com/ Jean Marcus

    This is something different. Building a spy phone, well maybe that is something useful and that would definitely gonna work.

  • Android User

    This becomes a real problem, as the users are not aware what are the real permissions that are required from an app. If you want to help yourself – just install the Network Connections app from Google Play, and every single connections w/o good reason will come out. I’ve already removed two apps from my phone for excessive traffic in the background.

  • William

    Hi candice. Yes the Droid Whisper can create a lot of problems to spy app users. For that they should read all the guidelines and disclaimers carefully. I give guarantee for a spy app which has no such lines in its disclaimer or agreements i.e. “Zealspy”. You can try it and no malware will attack to your smartphone. Promise! Because I am a former user of this app.