14 DAY TRIAL // A simple game for Android devices may include code for gaining root privileges that could be leveraged for extracting data from apps designed for corporate use, a proof-of-concept shows.
Posing as a game, the Trojan asks for permissions out of its league, such as processing calls and recording sound, as well as access to the list of contacts and the text archive.
All this should ring the alarm bells of a potential victim, especially if the game is installed from a non-official app store, or if the Android device is rooted.
Security researchers from Kaspersky encountered the demo piece created by Lacoon Mobile Security from a feed on VirustTotal and analyzed it, without being aware of its educational nature, or the fact that it had already been presented, first at Black Hat 2013 and a second time this year, at the RSA 2014 Asia in July.
More than 30% of the code of the PoC was for malicious intentions
The “malware” has been dubbed Gomal by Kaspersky, and as per a blog post from Anton Kivva, it is detected as Trojan-Spy.AndroidOS.Gomal.a by their products.
After assessing the code in Gomal, which is not to be found in the wild, the security experts determined that apart from the standard spying functionality like recording sound and stealing short text messages, it also features a set of libraries aiming to collect and exfiltrate information from apps available on the infected device.
In all, “the game code accounts for less than 30% of the executable file's size,” says Kivva in a blog post. “The rest is functionality for spying on the user and stealing personal data,” he added.
Flaw in the analysis
Dissecting the PoC code, the researcher found that the package of libraries also included an exploit that allowed root access on the Android device.
Leveraging this advantage, an attacker could tap into the data created by different apps and upload the information to a command and control server.
Kivva mentioned in the post that an attacker could steal data from the Good for Enterprise app, a secure mobile email and collaboration suite for corporate use.
However, in a statement on Lacoon Security’s website, it is revealed that the attack profited from a memory access bug in Samsung Exynos, which was patched more than a year and a half ago; also, not just Good for Enterprise would be affected, but any other mobile app.
Despite the fix of the security glitch that permitted root access, the attack could still be conducted if the device has been rooted.
Good Technology, makers of Good for Enterprise, is aware of this backdoor and implemented detection of a rooted device, specifically to prevent reaching sensitive content.
CEO of Lacoon Security, Michael Shaulov, said via email that, if properly configured, the app would not launch if this condition is detected on the phone. The two companies worked together since the initial presentation in 2013 to make the mobile world a safer place for the enterprise.
Keeping safe from such an attack
Shaulov told us that creating the Gomal proof-of-concept was at the opposite end of a difficult task, pointing to a company document detailing an attack against mobile device management solutions.
The stages of the attack consist of publishing the malicious app on a loosely curated repository, exploiting a vulnerability for privilege escalation, leveraging the flaw to get to the sensitive data (such as emails) when it becomes available and sending the information to the attacker.
As an efficient protection measure, Shaulov recommends an antivirus solution that does rely on signatures alone, but also integrates other forms of detection, such as those based on the behavior of the apps, which can identify suspicious patterns and anomalies.
Also useful is preventing the secure container from launching if the device is found to be infected. A secure container is designed to separate business apps from personal ones on the phone. This would create two environments on the device, where the one intended for business use benefits from increased protection.