SAN FRANCISCO — How easy is it to corrupt an Android app with malware? So easy it can be done in 15 minutes.
That's according to Kevin McNamee, director of security architecture with Kindsight in Ottawa, Ontario.
At the B-Sides San Francisco security conference yesterday (Feb. 25), McNamee showed an audience how to dissect a legitimate copy of "Angry Birds," add malware and then reassemble the app.
The result is what McNamee called "Very Angry Birds" — a mobile Trojan horse that's both a fully functional game and a command system that gives a remote hacker total control over a phone.
"Very Angry Birds" is only a proof of concept, an experiment that hasn't been released into the wild.
But it "shows you the capability of what you can do with an Android app, Android malware that's been injected into basically a Trojanized application," McNamee said.
The big takeover
Immediately upon installation, "Very Angry Birds" sends a ton of data to a command-and-control server: the phone's assigned telephone number, ID numbers and carrier information, plus the registered user's Gmail address and full contact list.
The remote controller can also quickly trace the phone's physical location, perform software updates, delete information or shut down the handset.
The controller can also use the phone's Internet and cellular connections to send spam via email or text message. Spam recipients are not limited to the phone's contact list, but can be anyone.
A feature that Kindsight researchers called "Peep" secretly takes pictures using the phone's camera or cameras. Sound is briefly muted so that no "click" is heard, and the recorded image's display is limited to one pixel so the user won't notice it.
The remote controller can use "Very Angry Birds" to probe any office network that the handset joins over Wi-Fi, and can also read all emails and passwords stored on the phone.
"The real possibilities, I think," McNamee said, are "in the case of industrial and corporate espionage, when you take a phone with this, that's got malware on it, and you bring it into a corporation or a government or whatever."
How to corrupt an app
Instead of running as a regular app, McNamee explained, "Very Angry Birds" is labeled as an Android "service" so that it always runs in the background.
Creating it is simply a matter of taking a legitimate copy of "Angry Birds" from the Google Play app store and dissecting it using Android developer tools available on Google's website.
The command-and-control malware is simply copied and pasted into the real "Angry Birds" app, adding to the game's original functions without altering any of them.
An important step, McNamee said, is to manually add to the app's "manifest," the gamut of privilege permissions that an app demands from the user upon installation. Granting those permissions gives the app total control of the phone.
But few Android users actually read those permissions waivers, he said, and instead blindly grant the privileges.
"I've just downloaded 'Angry Birds.' What do I want to do at this point?" McNamee asked. "I install it. I'm not even going to look at those privileges."
All Android apps must also be "signed" by the developer before they can run. But, said McNamee, the good part is that you can sign it with anything — even the signature used by "Angry Birds" maker Rovio.
"In 15 minutes, I can inject [the malware] into any app I want," McNamee said.
Scratching the surface
"Very Angry Birds" was demonstrated on a phone running Android 2.3 Gingerbread, a slightly older version of the mobile operating system. McNamee pointed out that the phone had not been previously " rooted " or tampered with.
The phone was running a pure Google build of Android, not one that had been tweaked by a carrier. McNamee saw no reason why "Very Angry Birds" would not work on Android 4.0 Ice Cream Sandwich or Android 4.1./4.2 Jelly Bean.
Infected versions of legitimate apps sometimes appear in Google's own Google Play app store, despite the introduction of Google's Bouncer app-screening software, and can often be found in "off-road" app markets in Eastern Europe and East Asia.
Mobile anti-virus software might work in preventing the installation of "Very Angry Birds," McNamee said, and he pointed out that Kindsight's own network-traffic monitoring software would detect the app's communications with its command-and-control server.
But, overall, he said, the "Very Angry Birds" experiment showed how "dead simple" it is to take over Android handsets.
"There's a lot more that can be done there," McNamee said. "I think I was just scratching the surface in terms of the possibilities."