Using a custom-made trojanized Android app, the mobile experts at app risk management company Appthority have discovered a way to steal authentication tokens and gain access to the accounts of some of the most widely used services, including Google, Facebook, and Twitter.
It is easy too, Kevin Watkins, co-founder and CTO of Appthority, told SCMagazine.com on Thursday. Although in his tests he created a trojanized version of Flappy Bird to capitalize maliciously on the success of the no-longer-available game, he said any app can be used.
The attack begins by compromising an Android mobile device with the malware-laced app, which could be done via spear phishing emails, drive-by attacks, or by simply uploading the rogue app into the Google Play store, Watkins said.
Upon running the app, the malware will stealthily begin detecting if the device has been rooted, or jailbroken, and will then go about carrying out the rooting process if the device is still in its untouched settings, Watkins explained.
“The easiest way is to get physical access to the device and install [the rogue app] that way,” Watkins said. “I don't even have to root it at that point.”
Next, the rogue Android app goes about looking for the authentication tokens, which are emailed to the attacker upon discovery, Watkins said, explaining the attacker is then able to import those tokens into an emulated version of Android and pull up the accounts, granted the attacker has the victim's username.
The attack is particularly surprising because it bests Google's two-factor authentication, Watkins said, explaining he was able to gain full access to those accounts.
The attack is so simple because the authentication tokens are notoriously easy to access on Android devices, Watkins said, adding he considers this more of a design flaw, since authentication tokens were implemented as is to make authenticating easier and more efficient.
Watkins said there has been community discussion on how to mitigate this issue, but aside from making authentication tokens harder to access, Android users will have to exercise a lot of common sense.
“You have to be wary of where you get your apps from,” Watkins said. “Keeping devices updated will make it harder to root. Also, watch your device. If I have physical access I can connect with USB and it makes it that much easier.”