Hackers are always coming up with ingenious ways to trick people into giving away information, or getting malware on their systems. As smartphone attacks are a relatively new phenomena, there are some particularly novel techniques on show, both from ethical hackers and malicious ones.
Exempli gratia: researchers at FireEye have discovered that Android malware could be used to modify app icons so that instead of taking the user to the expected application, they would get taken to a phishing page. Phishing sites are those awful things that look legitimate and ask for login information, which then gets passed on to a crook.
One of the worrying things about the malware is that its permissions were ranked as “normal”, meaning it didn’t appear to do anything nasty at all. In Android 4.4.2, the latest version of Google’s mobile OS, if an app only has normal permissions, the user won’t be told about them.
FireEye discovered two such permissions, known as “read settings” and “write settings”, could be used to alter other apps’ icons. They confirmed their hypothesis with an attack on a Nexus 7 device with Android 4.4.2. They also realised a Nexus 7 with CyanogenMod 4.4.2, a Samsung Galaxy S4 with Android 4.3 and an HTC One with Android 4.4.2 would all be vulnerable too.
Thankfully, Google has created a patch that its phone manufacturer partners have been urged to issue so users are kept safe. Unfortunately, these partners aren’t always too quick at giving users the right protection even when Google has made it easy for them.
In this case, it appears some of those phone makers, who shall remain nameless, have not exactly rushed to kill the fake icon problem. “Many android vendors were slow to adapt security upgrades. We urge these vendors to patch vulnerabilities more quickly to protect their users,” FireEye said in its blog post.
The issue is not entirely new, either. Before Android 4.2, one kind of permission, called “install shortcut”, that allowed an app to create icons was ranked as normal. That’s fairly startling, as it means any user running 4.1 or below could be downloading bad apps not knowing they have the power to create dodgy icons on their homescreen.
Whether malware changes icons or creates new ones, the impact would be the same, namely that scores of users might be duped out of passwords.
Such malware would also be rather difficult to detect, given they abuse normal permissions, rather than those rated “dangerous”. Most rogue apps that hit the official markets rely on user ignorance, hoping they’ll agree to obviously intrusive permissions because they’re desperate to get hold of the software. But for icon-altering malware, any user could be tricked, regardless of how security-aware they are.
Indeed, if it’s been possible to carry out this kind of attack for years, it’s likely malicious actors have caught on and gotten away with it. The sooner this kind of loophole is closed off by typically slack hardware makers, the better.