Friday, February 07, 2014

I tried but could not get my phone hacked (without cheating)

In this post, I try to replicate the NBC story where their new phone got hacked in a Russian cafe even before they were finished with coffee. Two new points to add to my previous blog post on the subject:
  1. Richard Engel had to first disable the security settings that would block unknown hostile Android apps, something few users do.
  2. The Google search engine downranks hostile sites, making them hard to find. It's extraordinarily unlikely Richard Engel would've found a virus on his own without being fed specific search terms or a URL.
Knowingly disabling security, then hunting for viruses, rigs the test to the same extent as that Dateline NBC gas tank controversy where they rigged a gas tank to explode.


Here's what I did.


First, I needed to disable the security features of the phone. Normally, Android phones do not allow users to download apps from websites. Instead, it restricts users to the Android Store, where Google checks apps for viruses. To fix this, the phone must be reconfigured to accept apps from other websites.

On my phone (Android 4.0.3) I went to "Settings" then "Security" and then checked "Unknown Sources" (it'll work a little bit different on other versions of Android).


The phone then warns users with this message:



Next, I went searching for viruses, entering all sorts of search terms I could think of that might lead to hostile sites, like "sochi russian porn app". I couldn't find anything. That's because search engines do an excellent job at downranking websites. I tried Google.com, DuckDuckGo.com, and Yandex.ru, and still could not find viruses to infect me.

But, unlike the NBC video, I was searching from the United States. The NBC video claims that the situation is worse when searching from Russia. Luckily, there are apps for that: I didn't need to actually go to Russia physically in order to replicate this.

Your GPS location can be spoofed. I installed the app "Fake GPS", and then added the setting "Mock Location" under "Developer Tools". I then used this app to set my location to the middle of Moscow:


This changes what the location the phone reports to apps, but my IP address still comes from Atlanta, Georgia. To fix that, I installed the app "VPN One Click". I scrolled down the list of countries, and as promised, with a single click on "Connect to Russia" I was now connected through a VPN server in Russia:



This gave me an IP addres of 158.255.1.147, as you can see in the screenshot below, and verify that it is indeed within Russia:


I then confirmed that this would change my browser, and that Google searches would come up with Russian results. I searched for "cafe", and got a list of cafe's around me -- in Moscow:


Unfortunately, I was no more successful at finding hostile websites and viruses than I was searching from America. As far as I can tell, except for things like "cafes" where a person cares about location, there wasn't any significant difference in results.

So I gave up and cheated -- cheating the same way I'm sure Richard Engel cheated. Instead of looking just for Sochi, I went looking for the viruses themselves, like search for "browser update apk", which is a well known virus. I got to a website like this among the various options:


So I hit download. Nothing really happened. Unlike Windows that gives you easy access to what you download, Android doesn't. I had to hunt for the "Downloads" feature by opening the browser's menu:

This is a miner step in the process. I mention it only because there are a lot of steps involved to get yourself infected. Even when an average user wants to get infected, they may need help from an expert to accomplish it.

So selecting "Downloads" from this menu gets me the following list. As you can see, I've already downloaded a few apps that turned out not to be viruses.


I then clicked on the "browser_update_install.apk". The first time I did this Google gave me a warning:

I clicked on "I understand that this app may be dangerous." and then clicked on "Install". This led to the following screen:

This virus is different than the one used in the NBC video ("avito.apk"), which harvested account details and sent them to a Russian set. The goal of this virus is to exploit the permission "Services that cost you money" by making calls to for-pay services. This demonstrates why you should always review permissions of apps, and if they ask for dangerous and unnecessary permissions (like pay calls), you shouldn't install the app.

At this point, I hit "Cancel". While a virus, it's not the same used in the NBC video. I'll wait until I find that virus in order to infect myself and see what happens next.


What I've documented here is this: it's really hard getting your phone infected, even when you are trying to do so on purpose. There are lots of warnings that even the least knowledgeable user will have to ignore. Sure, some innocent users succeed at ignoring the warnings and infecting themselves, but it's not something that will happen to the average person browsing the net with their phone, even in Russia.

To accomplish what was shown in the NBC video, the test had to have been rigged.




By the way, I was using Android 4.0.3 on my NinjaTel phone from DEF CON 20. The NBC video was using Android 4.3 on a new Samsung Galaxy S4. I'm going over WiFi instead of the phone network, which is apparently also how they tested in Russia.


1 comment:

The Idle Mind said...

Anyone using the Amazon App Store is going to have that unknown sources thing already done. It's in their instructions.
http://www.amazon.com/gp/mas/get/android