Meet The Android App That Steals Everything

Mobile Threat Monday: Nightmare Android App Steals Everything

Alert For Android Apps User

Since we began Mobile Threat Monday all the way back in June we've primarily focused on specific attacks and malware that are already in the wild. This week, we're doing something different as Appthority showcases a malicious app they cooked up in their labs. It's not in the wild, thank goodness, but it does demonstrate how much damage a carefully crafted and distributed malicious app could do.

Flappy Bird From Hell
While nasty Trojan versions of the surprise smash-hit Flappy Bird are already making the rounds, Appthority decided that it would make the perfect vehicle for their malicious app. This wasn't an idle choice. "For Trojans, the goal is to find some way to get the biggest footprint and distribution," said Appthority's Chief Architect and Co-Founder Kevin Watkins. "This app was intentionally removed by the app developer when it was still highly popular, leaving it open to being spread around through other channels." In other words, it's likely to be cloned and passed around as an email attachment, or pushed on third-party app stores outside of the Google Play ecosystem.

Appthority carefully crafted their Trojan to not draw too much attention. It requires few permissions to install and is just as infuriatingly difficult to play as the real thing. But while you're happily flapping away, the app is checking to see if your device is rooted. If not, it will attempt various techniques to gain root access, all the while hiding its activities from the user.

Once it has root access, the malware has free rein over your device and transfers all your apps to a cloud-based Android emulator—along with all your personal information and authentication tokens. This means that if you've already logged into Facebook, Twitter or other service, the attacker can use those apps from the emulator and appear to be you. Appthority says they were also able to get authentication information for Salesforce, Google, dating apps, medical apps—even the wallpaper on the victim's phone.

Gaining access to Google is particularly damaging because it lets attackers use your Gmail account. They can then can gain access to other websites by requesting password recovery emails. If the email account on your phone is linked to your bank, you're in serious trouble.

Staying Safe
Though Appthority's nightmare malware isn't in the wild, it's more than just a dream. Watkins stood on stage at RSAC 2014 and demonstrated how this app could hijack a phone in mere minutes—in addition to his Flappy Bird abilities.

But there's still a lot to be learned from this app, even if it's not coming after you. First and foremost: stick to Google Play. Don't install apps sent by your friend, or dredged up on some shifty marketplace.

This app also demonstrates how damaging it can be to lose control of root access. That's why we still recommend against rooting your phone unless you really know what you're doing. That said, I'm interested to see what security apps like Editors' Choice avast! Mobile Security & Antivirus could do with root access.

As interesting as it is to see what a nightmare scenario would look like, the damage and speed of Appthority's creation is rather startling. Let's hope this one stays in the realm of dreams.