I always love seeing Android phones packed to the gills with Antivirus software. The latest session to come out of DefCon goes to show that Antivirus on Android is not only a good idea but sadly it might not even help. Craig Young, a researcher at security firm Tripwire, showed off a pretty easy exploit at DefCon. He posted a proof of concept app in Google Play that steals an Android users Webtoken for their Google account. The app pretended to be a stock viewing app for Google Finance and was on Google Play with a description that clearly said it was malicious and should not be installed by users. When installed it would ask for permission to access a URL that starts with weblogin and includes finance.google.com. If you do then it will log you into Google Finance and everything would work like a charm but it would send your login token to an attack server to be used to login to EVERY OTHER GOOGLE SERVICE including Gmail, Calendar, etc.
The really scary part is that Google’s Bouncer scanner that is supposed to find such malicious apps and block them totally missed this app. Better yet most antivirus and antimalware applications also missed what the app was doing except for one privacy advisor application. Alexandru Catalin Cosoi, the chief security strategist at antivirus vendor Bitdefender, said it best to PC World stating that:
"Today’s presentation showed that with enough ingenuity and effort you can easily bypass apparently well protected systems"
It took a month for the app to even be reported as malicious in Google Play… In other words even BlackBerry users should keep a close eye out on the apps they install and the permissions they give to the apps. This goes even more so on Android where users live in a warzone of malicious applications. Even though this vulnerability was reported to Google in February only parts of it has been fixed since. So far Google has stopped you from ripping out every single data there is about a user through Google Takeout but has not blocked it for Gmail or Google drive on Android.
Kudos to PC World for the report