Untrustworthy App Permissions Help Attackers Own Your Phone

New York State Cyber Command employees demonstrated how attackers can get free rein on mobile devices - with a little help from the device owners - at SC Media's RiskSec NY 2018 conference. SC Magazine reported on Mark Bilanski, Deputy Director of the NYS Cyber Command Center's Cyber Incident Response Team, and Louis Smith, Senior Security Analyst’s presentation, which showed how mobile users download untrustworthy apps on their phones, agree to dangerous permissions requests without realizing it, and open the door to attackers to give them complete access to their phones.

Bilanski, Smith, and their team created an application for the demonstration and installed it on the demo phone, an Android device, thereby infecting the phone. Their goal was to see just how far they could take it. They basically mirrored the users’ phone screen, while the attacker was able to do whatever they wanted (take photos, access pictures, modify data, make calls, send texts, etc.) all while the user was seeing their normal home screen and were none the wiser.

The panel of experts watching the demonstration shared some ideas to encourage employees to be wary of permissions and not just agree to them by default in order to get the app installed. Namely, mobile device management (MDM) was suggested, as were some basic education programs for employees - who may be targeted by cybercriminals eager to get around two factor authentication on an employee’s phone and use that as the key to get at a corporation’s internal data, or send fake messages from high-ranking executives requesting financial transfers.    

Says fellow panelist Tony Sager, senior VP and chief evangelist at the Center for Internet Security (CIS):

“You can't train people to stop everything, but you can help them understand these are the trigger things you should be aware of - phrases you hear, inconsistencies - and have a policy to go out of band. If it doesn't look right, find a different path back to validate. And you have to train your executives often to not be ticked off when people call to question, 'Was it really you who told me to transfer that money?'"

We would add the following recommendations:

  • When you're installing an app and it asks to access your microphone and camera, think carefully about the app's function and if it should really need access (i.e. your weather app could need access to your location, but it certainly doesn't need camera access).
  • Remember, too, that free applications are able to be “free” to use because they’re typically selling your data and making a profit from that in order to stay in business.
  • If you have questions about whether an app is untrustworthy, the safest bet is to just skip it altogether or speak with your IT team if it’s something you actually think you need.