BALASUBRAMANI MARIAPPAN

Las Vegas — Injecting malicious code into legitimate Android mobile applications can turn smartphones into spyphones with little effort, which could pose a problem for businesses that support BYOD programs, a researcher told the Black Hat security conference.

Climbing a very low learning curve, researchers at Kindsight (part of Alcatel-Lucent) with no previous experience with the Android software developers’ kit were able to crank out a custom version of the game Angry Birds that ran on an Android phone, says Kevin McNamee, director of security architecture at Kindsight.

The altered app gave access to the device’s GPS, microphone, camera, Wi-Fi radio, email, text messages and contact lists, he says. Attackers can record conversations in the vicinity of the phone, record phone calls and take pictures without the user knowing about it and send them to a command and control server.

If such an altered application were loaded on a device that connected to a corporate network it would become a spy node that could scan the network and launch attacks. The malicious code could be updated after it is installed on a phone to customize it to attack specific vulnerabilities it finds in the network, he says.

“It’s a remote-access Trojan in the phone, and I think it’s pretty scary,” McNamee says. The bug that allows this is related to the Android master-key flaw that was discussed at a separate Black Hat briefing.

Called DroidWhisper, the code was dropped into a legitimate version of Angry Birds, taking advantage of characteristics of Android that aren’t very rigorous in checking the certificates used to sign applications, McNamee says.

Getting the app on a phone in the first place is a challenge but it could be met with clever spear phishing, he says. In the case of the Angry Birds app, an email advertising a free version of the game with a link to a site to download it could draw in the target.

The malicious piece of the application runs in the background and boots up when the device is rebooted so it is always available, even when the app itself is turned off. It is then signed with a digital certificate, but it could be self-signed. “Any certificate will do,” he says.

DroidWhisper uses standard Android APIs to gain access to services on the device. The original legitimate app is broken down into its components using the Android application package tool. Then the app is rebuilt, adding DroidWhisper, McNamee says.

Fighting such an espionage application could be done by anti-virus software seeking communications with the command and control server, he says.

A modified legitimate application would have to be downloaded from a phone application store, for example, because it could not be posted to Google Play where the actual legitimate app is available, he says.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter@Tim_Greene.