Craig Young's POC malware bypassed all security detection

These days mobile malware has become much harder to detect than two year’s ago and everyone is noticing.  The latest is Craig Young, from nCircle’s VERT team (read his blog DEFCON SNEAK PEEK: HOW RISKY IS GOOGLE APPS FOR YOUR BUSINESS and, if you missed it, check out his talk at DEFCON 21, Android WebLogin: Google’s Skeleton Key).

Note: Craig Young is from nCircle VERT team (now Tripwire VERT team) and he has reported many vulnerabilities over the years. Full disclosure: Mike Murray created VERT team in year 2004 and I used to work on the team where we discovered many vulnerabilities and did a bunch of hacking together.)

The short version of the story is that Craig created a POC malicious Android application and uploaded to Google Play market.  He made the app $150.00 to download (to discourage people from actually purchasing it). The funny thing is that in the app description it clearly said that the application would be “completely compromising your privacy” and discourages everyone from downloading it. Here you are the screen shot if you missed it:

pic6

 

The long and short of the story is that Google not only accepted the app in the Android App Store, but it took them a MONTH to block it.

The interesting thing is that this simple application (you can find the binary here) is as simple as my BSides Las Vegas demo APK file.   The program has just one activity, which is not recognized as malicious by any of the APK analyzers that Craig tried.  Before he had written to me and request to join our BETA program, he already tried Lookout, AVG, Trend, Sophos, Avast, Anubis, which are the most popular Antivirus or analysis platforms.

 

Screen Shot 2013-08-21 at 6.00.57 PM

 

 

This morning, I received another email from him because he really wanted to know the detection result for Trustlook’s platform before he heading to another security conference. Here is the detection result from Craig’s DEFCON presentation.

To be honest, when I load his application on our platform it crashed. I reversed the app’s binary and find it needs google apps because it will read your device account and then try to authenticate to finance.google.com.  Based on Google’s policy, we can not load those apps in our virtualized cloud-sandbox environment. I have to hack a real phone and load Trustlook’s ROM and then load Google Apps to make it legal.  So, that’s what I did.

To make a long story short, here is the detection result we had for the binary, High Risk (7/10) which is the threshold at which Trustlook recommends that an application really is too risky to be used by anyone. Below are some screenshots:

Screen Shot 2013-08-21 at 5.53.01 PM

 

Here is the Risk summary.   For for the list of risky behaviors, you can see that the application steals user account information, reads the device browser’s private data, manipulates browser setting. (WTF, a spell error, s/provoider/provider/?  Our dev team just fixed it).

Screen Shot 2013-08-21 at 5.53.12 PM

 

Here is one of the most suspicious behavior that looks strange to me.  Craig’s application steals the user’s account information using SSL and send to external server.

 

Screen Shot 2013-08-21 at 5.53.27 PM

If only any users who installed this (or Google before they approved it) had been using Trustlook, they’d have detected Craig’s malicious application instantly.

Note: The detection result we had is not perfect as we are still in a private BETA and there are a lot of features need to be implemented, many bugs need to be fixed. If you find we have anything wrong, please feel free to write us a email (info@trustlook.com) or write on our facebook wall.

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s