Kevin McNamee stands in front of his laptop on a low stage, a phone in his hand as he scrolls through a program showing his phone’s screen, magnified on a projector screen beside him.
Bits of code start flashing up the screen as he injects command-and-control malware into the command window of the app for Rovio Entertainment Ltd.’s trademark game, Angry Birds – transforming the app into a new version he’s dubbed “Very Angry Birds.”
“And here we go,” he says, frowning down at the screen as he begins to run the new app.
McNamee was presenting at Sector 2013, a conference on all things IT security held in Toronto from Oct. 7 to 9. The director of Kindsight Security Labs at Alcatel-Lucent Canada Inc. in Ottawa, McNamee wanted to show how simple it is to use an Android software development kit to add in malware.
When a user downloads a malware-infested version of the app, he or she is asked to sign off on all kinds of permissions, like access to contact lists, the camera, and so on. If a user carelessly checks off ‘yes’ on all the options, the app is activated with a piece of malware called “Droid Whisper,” and the hacker who wrote it now has access to the phone owner’s contact lists, location, messages, camera, and microphone. That means someone can remotely listen in and record phone conversations, send messages to the phone owner’s contacts, and even take pictures from that phone.
This process can work by injecting malware into basically any Android app by using its application package tool, and it just runs as a service in the background, McNamee said.
“The reason we built this was to demonstrate it was possible … We basically have complete control of this phone. Anything you can do programmatically to the phone, you can do with this,” he said, adding his team had never released the source code, but it wouldn’t be too difficult for a developer to run this script.
“I can now take that, and that is a version of Angry Birds that looks just like Angry Birds, it behaves just like Angry Birds, and as far as I can tell, it is Angry Birds, but it has my entire spy phone functionality in it … It’s brilliantly simple to program.”
For McNamee’s team, the hardest part of the programming process was working with the phone’s camera – after all, any user might become suspicious if a camera suddenly started taking pictures and making shutter noises.
While this seems like something that James Bond would have only dreamed of three decades ago, McNamee said spy phones have been around for a while, even on the consumer market. Some people have an appetite for spying on potentially cheating spouses, or for checking in on the locations of their children and loved ones.
But putting all of the fun of building an espionage-enabling phone aside, McNamee said, one of the biggest problems is that Android developers aren’t required to verify their identities when they create apps.
While they do have to generate a signed certificate, any Android developer can easily sign off on an app, without any other levels of verification. There’s no way to really know who created an app, he said.
“There’s no value from a security perspective, but it’s fine. Android apps are routinely signed with self-signed certificates all the time,” he added. “And I think in the Android space, the fact that it’s easy to hijack an application like this is a huge oversight in terms of the security posture.”
“The signature verification process should be more vigorous. You don’t have this issue on the iPhone because at least on the iPhone, you need to be certain it came from Apple. At least you need a name.”
While anti-virus companies would probably be able to detect this right away, it would still take a few days before anyone noticed this kind of app had been released – and by then, many people might be lured to download it, McNamee said.
And unfortunately, there isn’t too much legitimate app developers can do to avoid having their apps hijacked, he added. There are some obfuscation tools out there, but beyond that, he couldn’t foresee what else might prevent hackers from easily creating malware and hiding it within a real app.
Still, on the consumer side, Android users can protect themselves by ensuring they only download apps from known sources like Google Play, or from their mobile service providers.
McNamee also encourages consumers to download mobile anti-virus apps, and he said small businesses should prevent employees from logging onto the company’s production network using their own devices. Instead, they can create a separate public Wi-Fi space for their employees’ smartphones and tablets.
Alcatel-Lucent also has products for network-based malware protection, an extra layer provided through mobile carriers.