The Canadian Broadcasting Corporation’s (CBC) Marketplace program aired an investigative report entitled Are Your Apps Spying On You? on Friday January 6, 2017 to bring attention to hidden risks in mobile apps and the rampant lack of awareness about basic mobile security on the part of average users. The reporters wanted to demonstrate how easy it was to get people to download an app from an unofficial source, how little attention users pay when setting app permissions and what personal data might be at risk as a result. Everyone was surprised to see all the data that had been collected.
As described in a separate blog post, Appthority collaborated with CBC Marketplace journalists to develop an innocent-looking app that collected personal data–one that could, in effect, spy on users. The app’s faux functionality was that of a horoscope, something with limited functionality that people might access on a daily basis. Below, we provide some technical details on the app’s functionality and how it was developed.
Creating a “Horoscope” App
The app was to pose as a daily horoscope app, but also be able to access user’s pictures, location, and other information in order to educate users on the risks of installing side-loaded apps as well as to show just how much data an app can gather from user devices.
Declaration: Appthority would like to reassure readers that this Horoscope app was created for educational purpose only and we took extra steps to protect users’ privacy. First, Appthority did not access personal content throughout this experiment. Second, we have informed all affected users and recommended they uninstall the app. Third, all the collected user data has been completely deleted and removed from the C&C server and the server instance also has been destroyed.
These are the steps we followed to create the app.
Step 1: Creating a benign-looking app
Apps that are easy to create include flashlight apps, horoscope apps, calculator apps, wallpaper apps and emoji apps. Some of them have their source codes available on open-source projects. We agreed with CBC to take only “24 hours” to create the app and let users use it for seven days. A daily horoscope app, showing a daily horoscope over seven days, seemed perfect for this task.
Creating the benign-looking horoscope app:
- Start Android Studio and create a new project (mydailyhoroscope.android)
- Create a simple WebView
- Use an existing horoscope web site as a guide (http://www.psychicguild.com/horoscopes_explained.php). Download the free zodiac images from http://www.flaticon.com/packs/zodiac-2.
The final code showing how the app looks is below.
Step 2: Finding pre-existing spyware
The app leverages an off-the-shelf Android Remote Administration tool called DroidJack, which gives a controller remote access to Android devices that install an app with the tool-kit. It is available on http://droidjack.net/features.html.
We also researched other pre-existing spyware packages, such as TheOneSpy (https://www.theonespy.com/android-spy-software/), Androrat (https://github.com/wszf/androrat.git) and Omnirat (https://omnirat.eu/en/). DroidJack costs about $100.
Step 3: Setting up Command & Control (C&C) server (optional)
This step is optional for a real-life blackhat attacker, since spyware packages normally come with administration tool for accessing data from their server. However, as we would like to have full control over the data that we collect for user privacy, we setup an Amazon workspace as our own C&C server.
Step 4: Testing with anti-virus (optional)
Unmodified, DroidJack was detected as malware in slightly over half (55%) of the anti-virus engines we tested – including the anti-virus built into Android from Google. Simply renaming the spyware package dropped detection down to 44% and evaded Google’s built-in anti-virus engine. Knowing that most people lack any anti-virus app (other than the built-in one from Google that we were able to bypass) we were happy with 44%, although could have easily obfuscated the code and reduced the detection percentage even further.
Step 5: Choosing the payload delivery method
We’ve seen malicious apps use various techniques to land on target mobile devices. They include (1) uploading it to Google Play Store, (2) sending it via email or SMS and (3) hosting it on a website and simulating drive-by-download attack. Method (1) is risky for an attacker, as the Google Play store is scanned by Google bounder and constantly monitored by public users so the attacker’s account and app might get flagged or reported by users. Methods (2) and (3) are more targeted towards specific users and harder to detect. Thus, we choose Method (3) to deliver our Horoscope app.
Step 6: Spying
Spying on users of the Horoscope app includes going to our Amazon Workspace and clicking on individual devices.
For example, to see where the mobile device is, we simply go to “GPS Pinpointer”. This requests the last location from the device and shows the location on google maps.
To look at stored pictures, we use File Voyager to go to the following directories “/sdcard/DCIM/100ANDRO” and “/sdcard/DCIM/Camera”.
For this demonstration, we’ve created a simple, contrived spying scenario. But as we’ve described before, spying and stalking have become all too common in the apps we find on enterprise devices. Our example above reflects a broader trend of data collection and spying that constantly invade our privacy and make our enterprises less secure.
What You Need To Know
The CBC Marketplace program helped illuminate how easy it is for people to unknowingly install apps that collect data from mobile devices — personal data, in the example above, but sensitive corporate data, too, from enterprise users. What steps can enterprises take to minimize if not eliminate such risks? Here’s what we suggest:
Know Your Risks
- Understand how mobile creates new security threats to the enterprise
- Adopt a solution that provides visibility into non-sanctioned sideloaded apps on enterprise devices, as well as visibility into jailbroken iOS and rooted Android devices
Actively Manage Risks Present in Your Environment
- Create policies regarding sideloaded apps and jailbroken/rooted devices, and communicate those policies to your users
- Develop remediation steps for sideloaded apps and jb/rooted devices detected, and follow up to ensure that offending apps and devices are no longer able to access internal resources
Prevent Future Risks
- Encourage users to only install apps from approved app stores such as Google Play and Apple’s App Store
- Adopt a solution that allows users to monitor their device health and identify sideloaded app and other threats immediately
- Develop user education programs so that users know how to avoid risky apps and actions that can compromise their device’s security. Make sure your users watch the CBC show!
The CBC has helped to illuminate some important mobile threats. We hope that people who watched the segment now have a better understanding of what risks can live on their mobile devices, and how to avoid them. To help you take the next step in avoiding mobile risk in the enterprise, we’ve put together a free Guide to Securing Enterprise Data and Employee Privacy from Mobile Threats.