Security researchers have uncovered a trifecta of software issues that threaten Android devices, including two that could turn smartphones into spying microphones.
One problem results from a new form of malware which, remarkably, makes phone calls without the user's knowledge. The second comes from a poorly configured in-app advertising network, which demands so many permissions it could easily be exploited by attackers. The third stems from a coding oversight within Android itself.
The malware, a Trojan dubbed MouaBad.p, was disclosed earlier this week by Lookout Mobile Security. MouaBad.p makes calls to premium-rate numbers without user interaction, running up the unsuspecting user's phone bill, but could also be used for real-time audio eavesdropping.
It's the first time a piece of widely distributed malware has had the ability to make secret calls.
The Trojan is pretty sneaky. MouaBad.p makes its secret calls only after the user has activated the lockscreen, and will immediately hang up if the screen is unlocked. Fortunately, its creators haven't figured out how to alter call logs, so a suspicious user would notice unauthorized calls in his recent call history.
It does, however, also send unauthorized SMS text messages to premium-rate texting services, and like other SMS-hijacking Android Trojans, MouaBad.p can erase those secret texts from SMS logs.
It's not clear how MouaBad.p is installed, but many Android Trojans are delivered via infected or corrupted apps found in "off-road" app markets outside the Google Play Store. Users can avoid infection by going into their security settings and making sure "Unknown sources" is deactivated.
Newer versions of Android, beginning with Android 3.2 Honeycomb, are not affected. Lookout's own security app will also block infection.
So far, MouaBad.p has been mainly found in Chinese-language app markets, and its premium-number calling feature won't work outside a user's home country.
Each installation of MouaBad.p reaches out over the Internet to command-and-control servers for updates on which numbers to call or text. Silently dialed phone calls could, of course, transmit any conversation taking place near the Android device to a remote listener or recording device, although MouaBad.p does not seem to be able to record calls itself.
Lock your home screen, unlock everything else
That's not a problem for the HomeBase software development kit, a software framework created by Widdit Labs of Ramat Gan, Israel, and which enables audio recording — and a whole bunch of other things — by default.
HomeBase allows placement of in-app advertisements, which most "free" Android apps display, and also allows for the creation of a customized app-specific lockscreen. But, as Bogdan Botezatu of Romanian security firm Bitdefender explained in a blog posting, HomeBase demands far too many permissions when an app using HomeBase is installed.
Those permissions include disabling the lockscreen, seizing screen focus from other apps, reading browser history and bookmarks, tracking the device's precise geographic location, reading and receiving SMS text messages, reading contact lists, reordering running apps and reading call logs.
HomeBase seems to run on all recent versions of Android, although Bitdefender has flagged apps containing it in Bitdefender's Clueful privacy-monitoring app.
"Enhance your brand by creating your own background and lock icon," says a Widdit video promoting HomeBase. "You can even use a custom unlock sound."
HomeBase also notices whenever an Android device boots up, a call is placed, an SMS is received or when a third-party app is installed or uninstalled.
"We collect anonymous data about how users interact with the app," notes a posting on the Widdit company blog. "This data includes several variables like install/uninstall ratio, app's retention level, number of times HomeBase [has] been interacted with, HomeBase’s customization level and more."
HomeBase is also available in two free consumer apps, Social Feedz Pro and HomeBase Lock Screen, placed by Widdit in the Google Play Store.
A Widdit spokesman defended HomeBase's permissions structure to Computerworld.
"HomeBase does require a relatively high number of permissions in order for it to deliver its full experience in an optimal way," spokesman Noam Mor said. "Our platform is very flexible and allows developers the option to exclude some of the permissions if they wish to request less permissions (but affect functionality)."
Even more seriously, HomeBase uses an unencrypted HTTP link to download updates, which makes it vulnerable to "man-in-the-middle" attacks that could change an update in transit.
To test that theory, Bitdefender researchers staged a proof-of-concept man-in-the-middle attack against a HomeBase update. They were able to install a modified Java file on an Android phone which could, like the Trojan described above, secretly make its own phone calls and send its own text messages.
"The application downloaded ... and executed the malicious code without objection, as it had been granted phone calling and SMS interception permission upon installation," Botezatu wrote. "Most Android-powered devices are mobile and spend most of the time connected on Wi-Fi networks that are untrusted and could potentially be used to automate this kind of attack."
Widdit spokesman Mor told Computerworld that the company would implement secure updates by the end of December, although Botezatu countered that Widdit should also digitally "sign" its updates to prevent malicious updates.
Bitdefender said that HomeBase had been used by more than 1,600 apps in the Google Play Store, although most of those — about 1,100 — were subsequently removed for reasons that Google wouldn't divulge.
No password? No problem
Google may be doing a better job of policing its app market, but it's still letting sloppy code into the Android operating system itself, as Berlin-based security firm CureSec discovered recently.
If an Android user wishes to change a lockscreen unlock credential, such as a password, PIN, pattern lock or face-recognition image, he or she must, naturally, first enter the current credential before changing it to a new one.
In other words, you can't change the password to a new password without first confirming that you know the old password.
CureSec researchers found that a little coding quickly gets around that security barrier, at least in Android 4.0 Ice Cream Sandwich through 4.3 Jelly Bean. (Earlier versions of Android were not tested, but it's likely the flaw exists in those as well.)
The first step of the confirmation process asks the Android OS to check which kind of credential is currently used — a PIN, password, pattern lock or facial capture.
If an attacker — which could be an app on the same device — were to inject "unspecified" as the response to the credential query, then the existing credential would be erased, allowing the attacker to specify a new credential — or none at all — without knowing the old one.
This means, the CureSec blog posting said, that "any rogue app can at any time remove all existing locks."
CureSec informed Google of the flaw on Oct. 11, and lo and behold, the flaw was fixed when the latest version of Android, Android 4.4. KitKat, was released Oct. 31.
But Google then stopped responding to CureSec's emails, and still hasn't patched it in earlier versions of Android, which is why the CureSec team decided to go public with the flaw.
At the moment, there doesn't seem to be any defense against an exploit of this flaw, other than upgrading to KitKat if possible. (Most Android device users must rely on device manufacturers and wireless carriers for upgrades.)