Today Android holds over 80% of the global smartphone market. This, logically, attracts a whole lot of hackers and cybercriminals, just like it is with Windows. The larger the ocean, the more the fish.
However, all these threats push Android to become increasingly secure. Like we said in one previous article on Android security, some great and easy ways to minimize security risks are to only install apps from Google Play and keep your device software updated.
But what if you're a bigger fish that's worth the extra effort? Even if you've downloaded apps only from Google Play, never clicked on suspicious links, never visited shady websites, and all your software is up to date, your mobile security and privacy can be compromised. And it's not necessary to be targeted by some sophisticated malware. Sometimes all an attacker needs is creativity, and this is what social engineering is all about.
What is social engineering?
Social engineering is a cunning method of luring someone into sharing private or business information with the attacker. Don't be naive or overly confident, it can outsmart you. It uses fraudulent communications, ads and other channels to entice users to click something they shouldn’t or share information somewhere they shouldn’t. This can be your typical phishing email, a phone call, a text from a friend, a link mimicking a trusted source or any number of permutations or combinations.
As stated, very few Android malware threats are in Google Play. This means that cybercriminals need to find alternative ways to get users to click on their .apk files and compromise themselves.
Email remains a strong tool for social engineering, and while not Android-specific, a number of targeted attacks can begin with an attempt to obtain your user information through email. Many Android users rely on their Gmail account for a number of things. A very simple social engineering trick is an official sounding email asking you to simply log in to your Gmail account and verify your identity via a spoofed site. Often, this is just the first step...
What else can an attacker get from accessing your Gmail account? Your contact list...
Spoofing an email from your address is the simplest thing in the world. Sites like Anonymailer abound, masquerading as a way to send out prank emails to your friends, but can be leveraged for a more sinister purpose. Coupled with a contact list and a little personal information, an clever cybercriminal can craft any number of devious schemes, even without malware.
Social engineering examples
Social engineering uses several principles to operate on its targets, including trust, friendship, and authority.
Plays on authority that have actually worked include walking into an office with a clipboard scribbling notes, stopping at the front desk, and claiming something like: “We’ve had reports of a mobile access security breach. I need you to log in to your device, and access a network share. I have to check that our security protocols are working properly. Oh, and I need to see the login screen, to be sure that your device isn’t being redirected.”
Some social engineering attempts are sneakier still, attempting to use multiple elements. These attempts often make use of lower-level employees, gaining their confidence, and having the employee pass on the desired information to someone with more access. The individual with the desired level of access is fooled not because of the pitch of the social engineer, but because they trust the referral.
A good example of a sophisticated social engineering attack – Francophoned – was reported in April-May 2013. A VP's administrative assistant at a French-based international company was sent an email with a link to an invoice hosted on a commonly used file sharing service. A little later, the assistant was called by an individual pretending to be a VP from another company, instructing her to review the invoice and process it. The invoice contained a remote access Trojan, and the "vice president" was an attacker. This Trojan logged keystrokes, viewed the desktop, grabbed files, etc.
Malware & social engineering
Malware itself can be programmed to make use of social engineering, in particular for spear phishing – a spoofed email targeted towards a particular agency or group.
On March 24, 2013, one of the first examples of spear phishing using an Android .apk was discovered, targeting Tibetan/Uyghur activists.
The email account of a high-profile Tibetan activist was hacked, following which a very convincing email about an upcoming conference was sent to other activists.
The message included an Android malware attachment called WUC’s Conference.apk. If opened, the attachment did displayed a letter. However, the hidden malware secretly reported the infection to a command-and-control (CC) server and sendt out data including:
- Contacts (stored both on the phone and the SIM card)
- Call logs
- SMS messages
- Phone data (phone number, OS version, phone model, SDK version)
This sort of targeted approach is the hallmark of social engineering, as it makes use of specific traits or information that leads the user into following a spurious link, opening a suspicious file, or visiting an alternative app store.
Sometimes social engineering simply offers something that's too good to be true, using a product or service consumers might want but is unwilling to pay. These attempts often cast wide nets to catch as many people as possible off-guard.
As recently as the December 29, 2015, a campaign has been launched in South Korea attempting to exploit the furor surrounding the new Sony movie The Interview. An Android app, hosted on Amazon Web Services, claimed it would download the movie. However, it was discovered to contain an Android malware variant called Android\BadAccents. This is a two-stage banking Trojan targeting commonly used Korean banks, and one international bank (Citi Bank).
Ransomware & social engineering
A recent trend, as reported by Sophos’ Security Threat Report 2014, is the increased reports of ransomware for Android.
One notable example is Android Defender. It masquerades as a security app but actually does quite the opposite – once installed, it starts making trouble and demands payment for removal.
The app, according to Sophos, “uses a variety of social engineering tactics and an unusually professional look and feel to repeatedly seek Device Administrator privileges. If given those privileges, it can restrict access to all other applications, making it impossible to make calls, change settings, kill tasks, uninstall apps, or even perform a factory reset. It presents a warning message about infection that is visible on screen, no matter what a user is doing. It can even disable Back/Home buttons and launch on reboot to resist removal.”
What to do about it?
Social Engineering has been around for a long time. It becomes more prevalent as system security holes are patched, such as with more stable versions of Windows, or as recently seen, strong improvements in Android. When holes are closed, social engineering is the tool of choice for criminals to bypass what can be the weakest link in device security – you.
Don’t make yourself the victim. If you must install an app, stick to Google Play. Be aware of all security permissions requested by any app installed. If you're an organization, a strong mobile device management solution and a well-defined BYOD or single-device policy can go a long way to protecting your data.
And what might be even simpler – always be critical and educate yourself and your organization. Your mind can work for or against you, it's all up to you.