SAN FRANCISCO — Many connected-car Android apps are so easy to hack that they could let cybercriminals steal cars, two researchers from Moscow-based Kaspersky Lab said yesterday (Feb. 16) at the RSA Conference here.
"With a mobile phone, you can start the engine, unlock the doors, track the location and even drive without keys," Kaspersky's Victor Chebyshev said. "For criminals, it's like winning the lottery."
Chebyshev and his colleague Mikhail Kuzin found several ways in which malware could hijack the functions of a legitimate automotive remote-control app, though they stressed that they had heard of no such attacks in real life.
Carmakers should fix this by implementing safeguards taken by the banking industry, which successfully stopped the spread of banking Trojans that infected online banking apps, they said. Car owners can make sure their phones are running a recent version of Android, make sure their phones are not "rooted" and install and use Android antivirus software.
"An app that contacts an expensive thing like a car should be not less protected than a banking app," Chebyshev said.
One top-tier carmaker — Chebyshev and Kuzin wouldn't name names — stored the legitimate user's username and password in plaintext, they said. A malicious app with root privileges would be able to read those credentials and transmit them back to a criminal using a hidden text message or email. The criminal could then use the same app on his own device to unlock or even start the car.
"Forty percent of widespread Android malware escalates to root privileges," Chebyshev said. Yet, the researchers said, many banking apps detect when a phone has been rooted and won't run if it is.
Other common attacks on Android apps include screen overlays, in which a malicious app displays a login screen over the real login screen. In that way, the user logs into both apps at the same time, and the malicious one captures the credentials and sends them out. Banking apps counter this with foreground app control, that is by preventing other apps from overlaying on their screens.
Almost all Android apps can also be taken apart and then put back together again, or decompiled and recompiled, Kuzin explained. It's common for malware and adware distributors to recompile popular apps after having secretly added a bit of extra code that hijacks a phone, sends out premium-rate text messages or injects ads into web pages.
Connected-car apps are no different — a criminal could inject password-stealing malware into a car app, then put it up on an off-road app store that Google doesn't control. Such a "turned" app might not need to steal passwords, as it could be controlled remotely by a cybercriminal. Yet banking apps run integrity self-checks to make sure their own code has not been altered.
Responding to a question from Tom's Guide, Kuzin said that inclusion in Google Play is no guarantee that an app is safe.
"We see many banking Trojans that act in a similar way in the Play Store," he said.
Getting a car owner to install a malicious app isn't hard, at least in Russia, Chebyshev explained. Because parking is so hard in many Russian cities, drivers often double-park, then leave a note with their phone number under the windshield in case a blocked-in car needs to get out.
All it would take would be a malicious link in a text message or WhatsApp message to lure the victim to a website that installed the malicious Android app.
Chebyshev and Kuzin tried their three main attack techniques on seven connected-car apps tied to nine different cars, and all the apps failed in one way or another. However, the pair contacted the carmakers involved, whom they said reacted positively and were working to fix the problems.
Because of the fractured nature of the Android ecosystem, millions of phones worldwide are still running Android 4.4 KitKat, introduced in October 2013, or earlier. Such devices are vulnerable to many more attacks than phones running later versions of Android.
But even newer models face more threats every time Google releases an Android system patch and details the vulnerabilities the patch fixes — vulnerabilities that will take months to fix on many non-Google Android phones.
"It's almost impossible to fix all the bugs in such a complicated device as an Android phone," Kuzin said.