Have you ever jumped into a limo only to realise it was doubling up as a security lab? No? We hadn’t, but today TechWeekEurope did just that, getting into the back of a somewhat seedy vehicle, complete with blacked-out windows, vinyl seating, swirling disco lights embedded into the roof (see left) and two researchers looking, and probably feeling, awkward.
As we took off from TechWeekEurope’s Soho headquarters for a brief trip around London on a balmy spring afternoon, Leonard demonstrated how a malicious Android app could be created in just 10 minutes. Bringing up an Android Eclipse SDK on the LCD screen, he produced a fake antivirus app in super quick time, cunningly calling it Awesome AV Scanner. If it’s called Awesome, who wouldn’t download it, right? It looked relatively convincing too, what with its star rating feature and the option to register the service. Once the user clicked on that register service, the app would crash.
“This gives us a brilliant opportunity to inject whatever we want, like malicious downloads maybe from a third-party marketplace or from some other location,” Leonard said. He then moved to create a new malicious app, which looked the same but would seek to acquire data by duping the user within the application.
“All I need to do is create a new script that utlises the registration click feature. All I’m using is preset environments and functions within the Android SDK. As a prerequisite for this demo, I got hold of some open source software that’s freely available, anyone can do this,” he added.
The second rogue app lets people go through the registration stage – possibly hoping this new app would be better than the one that crashed – where they will be asked for a password. Once they’ve done that, they’ve most likely handed over the keys to their other online services, like internet banking and email accounts, given how slack many are with their web identities, Leonard said.
If a hacker could get both apps onto a user’s phone, there would be serious repercussions for whoever their employer was too. Getting one nasty app on a user’s device can mean information held by other apps is under threat. “Now we’ve got a foothold into their environment. These things offer an open door into corporate security networks,” Leonard added. “My application can now be parsing the phone, I can look at all of the APKs [application package files] that are installed and then I can find the ones I’m interested in and get hold of additional pieces of data from other apps.”
“You can get code that sends out a fake access point, you do wonder if you could send out several million,” hypothesised Leonard’s co-worker Spencer Parker, group product manager at Websense.
Leonard proffered another idea. “I’ve heard of people driving very slowly past hotspots to pick up people’s credentials,” he added. Isn’t that what Google did, albeit accidentally, not so long ago? It seems there are multiple dimensions to the term “mobile security”.
Anyway, if you’re a minted cyber criminal who likes the smuttier, more lavish things in life and your hacking vehicular, get yourself a limo, a couple of hotspots and start stealing data in luxury.
DISCLAIMER:
TechWeekEurope would never advocate or condone data theft. Even if done in a cool way, with 50 Cent blasting out of your subwoofers and neon lights reflecting off your bling. Innit.
Want to have your own lab limo? See if you have enough security knowledge with our quiz.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…