14 DAY TRIAL // Experts from the Leviathan Security Group released an Android app called “No Permissions” to demonstrate how easily cybercrooks can avoid worrying about the permission restrictions and harvest data from devices without the user’s knowledge.
Android users are well aware that whenever an app is installed, a screen pops up and asks them to approve the permission requested by it. However, the application made by the experts requires no permission, yet it is able to perform certain actions that can be easily catalogued as being malicious.
From a visual standpoint, the application is fairly simple. It only has three buttons: Steal SD Card Contents, Steal App Data, and Upload Identifying Data.
Referring to the first button, Paul Brodeur, the creator of the app, says, “Every application has at least read-only access to the contents of this external storage. ‘No Permissions’ scans the /sdcard directory and returns a list of all non-hidden files.”
Apparently, all those files can be fetched. The worrying part is that the SD card usually stores some of our most private files, including photos, backups, external configuration files, and, in some cases, even Open VPN certificates.
“Secondly, I can fetch the /data/system/packages.list file to determine what apps are currently installed on the device. From there, I can scan each directory used by those applications to determine whether sensitive data can be read from those directories. In the ‘No Permissions’ app, this functionality returns a list of installed apps and a list of any readable files,” Brodeur wrote.
He believes that by reading the app directories, cybercriminals could find applications with weak-permission vulnerabilities, similar to the ones identified some time ago in Skype.
Finally, while device identification data such as IMEI or IMSI can’t be read without permissions, other information such as GSM and SIM vendor IDs, Android IDs, and kernel version can be accessed.
While without Internet access the data cannot be transferred from the device, there is one network call that doesn’t require any permissions.
“The URI ACTION_VIEW Intent opens a browser. By passing data via GET parameters in a URI, the browser will exfiltrate any collected data. In my tests, I found that the app is able to launch the browser even after it has lost focus, allowing for transmission of large amounts of data by creating successive browser calls,” he explained.
The last thing that must be noted is that while this particular app has three buttons to activate the malicious functions, the actions can be programmed to be executed without user interaction.
Users who are curious of the app’s capabilities can check it out here.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile or follow me at @EduardKovacs1