Android app security was challenged from all sides this week with malware exposing one million Google accounts, a new class of Android Trojan and vulnerabilities in a popular app putting tens of millions more at risk.
A malware campaign discovered by Check Point Software called Gooligan breached the security of more than one million Google accounts by stealing authentication tokens that could be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive and more. However, despite the risk to Google accounts, Adrian Ludwig, director of Android security at Google, said the aim of the campaign was not to access account data.
"Since 2014, the Android security team has been tracking a family of malware called Ghost Push, a vast collection of 'potentially harmful apps' that generally fall into the category of 'hostile downloaders.' These apps are most often downloaded outside of Google Play and after they are installed, Ghost Push apps try to download other apps," Ludwig wrote on Google+. "The motivation behind Ghost Push is to promote apps, not steal information, and that held true for this variant."
Rather than use the Google account tokens to access user data, the Gooligan malware will download specific apps from the Google Play Store in order to generate ad revenue and then leave a positive app review on Google Play in order to raise an app's profile.
The Check Point Research Team said in a blog post that it found more than one million compromised Google accounts.
"Gooligan potentially affects devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which is over 74% of in-market devices today. About 57% of these devices are located in Asia and about 9% are in Europe," Check Point wrote. "We found traces of the Gooligan malware code in dozens of legitimate-looking apps on third-party Android app stores. Gooligan-infected apps can also be installed using phishing scams where attackers broadcast links to infected apps to unsuspecting users via SMS or other messaging services."
Ludwig confirmed that Google has updated the Verify Apps portion of Google Play services to identify Gooligan malware if a user tries to install an infected app; removed apps associated with Gooligan from Google Play; and revoked the authentication tokens for compromised Google accounts.
A new Android Trojan and AirDroid vulnerabilities
Cong Zheng and Tongbo Luo, mobile security researchers for Unit 42 at Palo Alto Networks, identified a new class of Android Trojan, called PluginPhantom, that they say "is the first to use updating and to evade static detection" by leveraging the Android plug-in technology.
"It abuses the legitimate and popular open source framework DroidPlugin, which allows an app to dynamically launch any apps as plug-ins without installing them in the system. PluginPhantom implements each element of malicious functionality as a plug-in, and utilizes a host app to control the plug-ins. With the new architecture, PluginPhantom achieves more flexibility to update its modules without reinstalling apps," Zheng and Luo wrote in a blog post. "PluginPhantom also gains the ability to evade the static detection by hiding malicious behaviors in plug-ins. Since the plug-in development pattern is generic and the plug-in SDK can be easily embedded, the plug-inarchitecture could be a trend among Android malware in the future."
Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks, said this new method is dangerous "because it's more stealthy and dynamic."
"By keeping the malicious code off the system it can evade static detection. Additionally, the update capabilities give it a degree of nimbleness and flexibility that more traditional Android malware lacks," Olson said. "This particular attack method isn't specific to any versions of Android."
Olson said for both Gooligan and PluginPhantom threats, the key to Android app security for users is to only download apps from the Google Play Store and to avoid third-party app stores or sideloading apps.
However, even apps in the Google Play Store can have security issues, as enterprise mobile security company Zimperium proved with its disclosure of vulnerabilities in AirDroid, a popular remote management tool for Android.
AirDroid has between 10 and 50 million downloads, according to the Google Play Store. Zimperium said vulnerabilities in the Android app security have left tens of millions of users vulnerable to man-in-the-middle (MitM) attacks.
Zimperium said in a blog post that "a malicious party could perform an MitM network attack and grab the device authentication information."
"AirDroid relies on insecure communication channels in order to send the same data used to authenticate the device to their statistics server. Such requests are encrypted with [data encryption standard] however the encryption key is hardcoded inside the application itself (thus known to an attacker)," Zimperium wrote. "Any malicious party on the same network of the target device could execute a man-in-the-middle attack in order to obtain authentication credentials and impersonate the user for further requests."
A potentially controversial point of the disclosure by Zimperium was the release of the proof-of-concept (POC) exploit code despite the vulnerabilities not being patched in AirDroid.
Zimperium originally disclosed the issues to Sand Studio, developer of AirDroid, on May 24, 2016. The vendor acknowledged the vulnerabilities on May 30 and released version 4.0 of the app Nov. 28 and version 4.0.1 on Dec. 1, but both new versions of the app were still vulnerable.
Simone Margaritelli, principal security researcher at Zimperium zLabs, told SearchSecurity, "After waiting six months for a fix, sharing the POC should put some pressure on the vendor and hopefully this will lead to a quick and real fix for the vulnerabilities."
Matt Rose, global director of application security strategy at Checkmarx, said he was wary about Zimperium releasing the exploit code.
"The reasoning here is that it is a real issue and consciously being ignored then by the vendor and releasing the actual code would push them to acknowledge and remediate the issue and was necessary. However, if the vendor was contacted and they acknowledged the issue and said it was being addressed immediately then I would not support the release of the exploit code," Rose told SearchSecurity. "In this example it is irresponsible in my professional opinion and is being used to promote Zimperium's capabilities and not protect the provider or the end users."
The AirDroid team responded in a blog post and said they "expect to start to roll out an update within two weeks."
Learn more about why Android malware delivery is harder than you think.
Get info on how the Linux kernel memory protection features work on Android.