FireEye has reported that it recently spotted an malicious Android application that could modify the icons of other Apps on the users Android smart phone or tablet. Once they modified the icons, if and when they were clicked by the smart phone user, the user would be sent to a phishing website.
The blog report on FireEye written by security researchers Hui Xue, Yulong Zhang and Tao Wei says that the malicious App abused a set of permissions to modify the configuration settings of the Android’s default launcher and the icons.
The malware is abusing a set of permissions known as “com.android.launcher.permission.READ_SETTINGS” and “com.android.launcher.permission.WRITE_SETTINGS.”
As per the FireEye researchers, the above two permissions have long been classified as “normal,” a designation give to application permissions thought to have no malicious possibilities. Hence these permissions are not included in the standard set of permissions a Android user has to ‘accept’ when he or she installs a new App.
This “normal” designation given by Android OS is the loophole the malware authors used to write this particular malicious App. There the malicious App “used these normal permissions” and replaced legit Android home screen icons with fake ones that point to phishing apps or websites,” they wrote.
The authors have further said that FireEye developed a proof-of-concept attack using Google’s Nexus 7 tablet running Android version 4.2.2 to show icons could be modified to send people to another website. FireEye was able to bypass the Google’s security checks in place and able to upload the App which it called ‘ThisIsATestApp’ on Google’s Play store which they removed after it confirmed their Proof of Concept.
Google’s Play store which checks Apps for security issues, especially after the fake Apps appearing on Google Play, considered the App a legit one and posted it on Google Play. FireEye added that no one downloaded the PoC App for the brief moment it was listed on Google Play Store.
FireEye provided Google with the Proof of Concept regarding this flaw in the month of October, 2013 and Google has issued a patch in February 2014 to overcome this flaw says FireEye. Google issued the patch to all its OEM partners as this has to be included in the update itself but FireEye says that not all OEMs are fast enough to upgrade and update security patches. This means that several Android smart phones running on the stock ROM are still vulnerable to this malicious App.
FireEye says that even the Custom ROMs available world over treat the above permissions as legit thereby making even the CyanogenMod run Android smart phone vulnerable to this attack. FireEye tested a Nexus 7 running on CyanogenMod custom ROM as well as a Samsung Galaxy S4 running Android 4.3 and an HTC One running 4.4.2. All classify the “read_settings” and “write_settings” permissions as normal.
FireEye has urged every Android vendor to upgrade the Android OEM version with the security patch. The real danger is that attackers could modify the icon of a banking application and fool users into divulging sensitive information like their bank account credentials on a fake website they’ve created.
Resource : FireEye Blog
