Friday April 28, 2017

Backdoors in Millions of Smartphones

I was at the bank the other day, yeah, physically at the bank, and the banker-dude asked me if I had installed its banking application on my smartphone. I looked at him and asked, "Do I really look that stupid?" Wired has an article up today that outlines my paranoia about smartphones and security. Banking apps? No. Pay with my phone? No. Naked selfies? Maybe. The gist of this is that there are a bunch of apps that leave insecure ports on your smartphone.

News Image

To determine the full scope of the port problem, the Michigan researchers built a software tool they call OPAnalyzer (for Open Port Analyzer) that they used to scan the code of around 100,000 popular apps in the Google Play app store.

They found that 1,632 applications created open ports on smartphones, mostly intended to allow users to connect to them from PCs to send text messages, transfer files, or use the phone as a proxy to connect to the rest of the internet.

If you have the Wifi File Transfer, Virtual USB, or PhonePal apps on your phone, you might want to reevaluate your installation. If you want to read up on the paper yourself, the PDF is right here.

In this paper, we develop a tool called OPAnalyzer, which can systematically characterize open port usage in Android apps and effectively detect exploitable vulnerabilities. Using this tool on 24K popular Android apps, we are able to classify 99% of the mobile usage into 5 families, and identify some unique usage scenarios on mobile platform. From the vulnerability analysis performed, we find that such usage is generally unprotected. We are able to discover a bunch of new exploits causing vulnerabilities such as information leakage, denial of service, and privileged execution. We also propose countermeasures and improved practices to mitigate these problems in different usage scenarios. As a potential future work, we want to apply OPAnalyzer to analyze Android system applications to discover more critical vulnerabilities.