Well-known security expert Android-apps Jon Oberheide of Duo Security two years ago broke the Android Market and shown how to distribute malicious code through updates to applications.
After appearing in Google Play antivirus and emulator for testing new applications Android Bouncer he analyzed these tools and show how they can be avoided. Now colleagues of Jon Oberheide from the universities of Hanover and Marburg (Germany) have published a new study, where they continue to reveal the theme of love malicious software to the platform Android. The report, “Why Eve and Mallory Love Android: An Analysis of Android (In) Security” is dedicated to finding examples of incorrectly implemented SSL / TLS in the Android-applications.
The authors demonstrate that the catalog Google Play you can find thousands of applications from serious errors in the implementation of SSL / TLS, which makes them vulnerable to attacks such as MiTM and gives attackers access to the private information of users. One of the common mistakes – function not check SSL-certificate, which left in the application code after debugging. It happens that the application accepts any SSL-certificate or with any host.
Researchers wrote proof-of-concept for the program expansion MalloDroid Androguard, which reverse engineer Android-applications. MalloDroid seeking applications to support HTTPS and automatically scans them for potentially vulnerable code SSL / TLS. They carried out the analysis of 13,500 popular free applications in Google Play – MalloDroid and warnings for 1074 of them, that is 8%.
German experts emulated MiTM-attack through WiFi-point with SSL-proxy. Depending on the type of test vulnerabilities in the proxy set or self-signed certificate or a certificate from a trusted certification, but for another host. They manually checked 100 random sample of programs MalloDroid – the result surpassed all kinds of expectations. Managed to get the credentials and credit cards American Express, Diners Club, Paypal, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, IBM Sametime, different remote servers, bank account numbers, passwords to mailboxes, cloud hosting and more. Overall, the application is vulnerable were 41 out of 100.
For example, in one of the anti-virus researchers have been able to forge automatically update antivirus with the introduction of a false signature of the virus, and then were able to neutralize the anti-virus and were able to remove any application from your device, and including the antivirus. The study’s authors say that such a device can easily inject malicious code, and in fact this antivirus more than 500 thousand people!
According to experts, the problem is that the developers of Android-applications, like web developers, often have problems with the implementation of a competent SSL. Although the built-in browser gives warning in the event of incorrect certificates, but the danger still exists. Authors recommend MalloDroid integrate directly into installation package Android-applications.