SAN FRANCISCO—Malicious apps can be used to steal information secured by Google's Android for Work, security company Skycure demonstrated here at RSA.
Continue Reading Below
"The basic idea is to create a separate profile on the device which has business-level controls, while leaving the original, personal profile open and unmanaged," Skycure CEO Yair Amit wrote in a blog post. "All of the business applications, email, and documents would be managed and secured within the business profile, while everything on the personal side remains untouched and unrestricted."
Notify Your Enemies
Amit and his team were able to breach the separation between the work and private sections of Android devices using what he calls an "app-in-the-middle attack." A nod to man-in-the-middle attacks, this tactic uses a malicious app installed in the personal sector of the phone that is able to intercept information from the secure sector and pass it on to the attacker.
The malicious app requires no special permissions other than the ability to see notifications. In a demo, the app mimicked the functionality of PushBullet, an app that lets you mirror Android notifications on your PC.
Continue Reading Below
Once installed, the app works as advertised, except that the attacker also receives a copy of your notifications.
"Since Notifications access is a device-level permission, a malicious app in the personal profile can acquire permission to view and take actions on ALL notifications, including work notifications, by design," Amit wrote. "Sensitive information, such as calendar meetings, email messages, and other information appears in these notifications, which are also visible to the 'personal' malicious app."
Then, all the attacker has to do is send a password reset request, copy the information from the intercepted notification, and seize control of personal accounts.
App in the Middle
In a second demonstration of the app-in-the-middle attack, Amit used an additional permission to gain even more insight into a victim's phone. Android devices include accessibility features such as text-to-speech for the visually impaired. By using this permission, Amit captured everything happening on the victim's screen, regardless of whether the user was viewing an app in the work or personal sectors.
"This app-in-the-middle resides in the personal profile, yet is effective in stealing corporate information as the user interacts with it," Amit explained. The privacy limitations of the personal sector mean that the IT managers of the corporate sector aren't able to prevent or even be made aware of the attack.
Note that in both of these examples, Skycure built fully functional malicious apps. These not only carried out their devious designs, but also worked as advertised to the user.
An Unusual Response
Skycure is no stranger to threat research and has always followed a responsible disclosure policy, where companies are given the chance to patch discovered vulnerabilities before Skycure makes them public. That's not quite what happened this time, though.
"After internal evaluation by the Android team, it was decided that the aforementioned behavior is an intended behavior," wrote Amit. "As that behavior poses an unexpected and clear threat to corporate data of organizations that utilize Android for Work, we have mutually agreed to disclose the findings with the public, to raise awareness to the exposure."
It's worth noting that Google has done a remarkable job securing a platform as large as Android. Adrian Ludwig, the individual in charge of Android security, spoke this week at RSA and outlined how there have been vanishingly few successful exploitations used in the wild and none at a significant scale.
Also, most security professionals will point out that if you convince someone to install a malicious app, the bad guys have already won. As seen in the case of the DNC hack, the hardest part of any attack is often just convincing the victim to willingly make themselves vulnerable.
An interesting caveat to this is that Google provides many powerful security features in Android. Safety Net, for instance, can detect malicious or suspicious activity on a device even when the app is installed from outside Google Play. The device used in Amit's testing was unmodified and up to date, yet the malicious activity went unnoticed. Google's security features might detect the app in the future, of course.
Speaking to PCMag, Amit was clear that Google and the work features in Android system are not to blame. Rather, a reliance on containers cannot replace good security policies. "The danger lies in the illusion of a secure container, which tends to allow people to let their guard down in the belief that the environment itself is a sufficient security mechanism to protect sensitive data," Amit said.
Amit pointed out that savvy IT professionals will recognize a risk in allowing devices that do double duty as home and office devices. By the same token, employees using devices that handle personal and corporate data need to be made aware of the risks and encouraged to act responsibly; either by scrutinizing the apps they install on these devices, or by using a third-party security app to augment the built-in safeguards found in Android.