How we were able to spy on a 60 Minutes reporterDownload Case Study
Without apps, our mobile devices would be, well, phones. Apps are what take our devices to the next level, making them ultimately an assistant to our everyday activities.
However, malicious applications represent one of the main ways mobile devices are able to be compromised.
We demonstrated an example of what can happen if a malicious app infects a mobile device on 60 Minutes.
How we did it
The app is an example of “spyware,” or a piece of mobile malware that intends to spy on an individual, collect that data, and transmit it back to a command and control server.
In order for the attack to work, the victim needs only to install the application. You don’t need to have a jailbroken or rooted device, it doesn’t need to be connected to any special kind of network.
How it gets on the phone
On 60 Minutes, reporter Sharyn Alfonsi downloaded the app from Lookout co-founder John Hering. In this scenario she sideloaded the application through a text message. The message read, “Hey - I’m only chatting now using a secure messaging app called ghost chat. Download it now to talk.” The SMS message also included a link to download the app.
Sideloading apps is one of the main ways malicious apps get onto a victim’s device, although we have seen similar malicious apps in official app stores.
Attackers use this kind of a trust dynamic all the time, crafting messages that ensure the victim feels safe or comfortable taking the desired action, in this case, downloading an app. It doesn’t have to be through a text message either. Malicious actors also use spoofed emails, text messages, malicious websites, and app stores to distribute their malware.
What happens when you’re infected
Once installed on your phone, the malware uses permissions to access the microphone and camera, broadcasting the victim’s image and voice. Since this app was positioned to the victim as a communications app, these permissions seem normal.
It accesses these features completely in the background without lighting the screen up or alerting the victim that anything fishy is happening. This is not an uncommon practice for malicious applications that can use different tactics to operate under the radar, such as those that let an app developer keep the phone from going to sleep.
Is this an Android-only problem?
Not necessarily. Sideloading applications is much more common on Android, as the process is fairly easy: all you need to do is check “unknown sources” in the phone’s settings. People often do this to download more than just pirated apps, they also do it to access other well-known stores such as the Amazon App Store.
It’s not impossible, however, to also sideload an app on a non-jailbroken iOS device. This is especially true when considering targeted attack situations.
If an attacker is motivated, he or she could gain access to an enterprise provisioning profile, or a type of certificate on iOS that allows large businesses to distribute applications created in-house, such as an expenses app, without having to go through Apple’s App Store.
Unfortunately, some of these certificates have made it to the black market, where criminals can purchase them and use them to effectively sideload applications to iPhones and iPads.
One prominent example of iOS spyware that is distributed outside the App Store using an enterprise certificate is Hacking Team’s spyware, which is capable of tracking location, stealing address book and calendar data and capturing keystrokes.
The flow of getting an application onto the phone using this method is similar to the sideloading flow on Android, but a little more complicated. An attacker could still send an application through SMS, a website, or email, but the victim would need to “trust” the developer before they can use the app, and that requires going to the phone’s settings. We’ve observed some malware that even provides directions in their websites or messages that show a victim just how to do this.
Enterprises need to ensure that the devices running on their networks don’t have this kind of issue going unnoticed. This is why having technology, such as Lookout Mobile Threat Protection, that alerts administrators to malicious apps and other risks is ultimately important to ensuring the company, and its employees, are safe.
Individuals can also protect themselves by ensuring that they don’t sideload applications unless they really, truly know where it is coming from. On Android, you can avoid sideloading altogether by ensuring the download from “unknown sources” setting is unchecked. On iOS, you should avoid trusting applications that come from any source other than the official iOS App Store. You can also download an application, such as Lookout (available on Google Play and in the App Store), that monitors to ensure that no malicious processes are running on the device.