Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Feb 6, 2011

Steal a Google account and get a free OTP device!

I just read an interesting article on the Naked Security blog: New Android Market web store could open backdoor for phone hackers. Turns out, you can trigger installation of applications from the store and the installation procedure will silently complete on the Android phone. This could be a cool feature — but it comes with severe security implications for login procedures relying on mobile phones.

Authentication basics
To quickly lay the groundwork: Traditional two-factor authentication relies on two elements during a login procedure, you have to present "something you know" and "something you have". A convenient and cost effective approach has been to use a password as the "know" element and a user's mobile phone as the "have" element, by e.g. sending a one time password (OTP) by SMS when the user is logging into a website. You've then verified that the person logging in knows the user's password and also possesses the user's cell phone. This increases confidence that the correct person is logging in.

Websites can leverage the benefits of two-factor authentication with mobile phones to reduce risk associated with virus infected PC's and password compromises. Google has a great explanation of the feature in their blog. However, Google is far from alone in launching this security measure, in fact there are online banks who have had such login procedures in place for several years. Just for the record.

Where it goes wrong
We've already seen malicious Android apps — if you steal a Google account you could silently install an application to steal SMSs on the mobile phone. Google has made the "something you know" element the key to gain control over the "something you have" element, reducing the authentication scheme to a traditional single password scheme. As Google, for now, primarily lets users log in with a static password they did not shoot themselves in the foot with the new store. It's everyone else relying on two-factor authentication with mobile phones who lost something here. Suddenly the security of an Android phone is dependent on the security of a Google account, which in turn reduces security for everyone else to single-factor authentication. In short, if a Trojan steals your banking password, it might as well steal your Google account and install malicious software on your Android phone to steal your banking SMSs.

But does Google realize what they've done? An online newspaper who picked up the story, quotes a Google representative saying that
...this theoretical attack presupposes a compromised Google account...
Compromised Google accounts are far from theoretical. Off-the-shelf Trojans, such as the Zeus/Zbot, can easily be set up to steal Google account passwords. If we look at where Zeus is heading, it's apparent that Google's automatic application installation constitutes a massive security risk. New Zeus variants try to infect online banking customers' mobile phones, in order to steal their authorization codes received by SMS. With Google's new store, there's no need to trick the user into installing a mobile Trojan. The Trojan can easily steal the user's Google account and install the application silently. It is reasonable to assume that this approach will make it a lot easier for the Zeus mobile attack to scale, as today's approach depends on a manual step — requiring the user to confirm the installation of mobile malware.

But can it be done? It seems that the android-smspopup project covers the functionality needed. I also guess Google has documented the permission system well enough to start stealing SMS messages. Google needs to rethink the app store installation strategy, so as to not instantly kill Android phones as "security" devices.

How to fix it
Google should consider some design changes to their application installation procedure. An important countermeasure is mentioned on the Naked Security blog, a dialog should be shown on the device before application installation proceeds. I might add, it is utmost important that the dialog shows key information about the application, especially the permissions granted. It should also clearly state that installation should be denied unless the user herself triggered it from the store.

Another countermeasure is mentioned too, a strong password. For the Trojan scenario I've discussed here, the strength of your password is irrelevant. A Trojan will read a strong password just as easily as a weak password as you type it in.

To further raise the bar for automated installs of Andorid malware, they could consider using their two-factor authentication procedure (mentioned on their blog) to trigger application installation from the store. At least, they should keep this as a countermeasure in their toolbox so they can swiftly enable it if faced with a serious attack.

93 comments:

  1. At https://nerdymates.com/ you can read best and the most interesting articles on related thematic.

    ReplyDelete
  2. WOW!!!
    Thanks for your informative blog!!! Your article helped me to understand the future of .net programming language. Keep on updating your with such awesome information.


    dot net training in chennai

    ReplyDelete
  3. really you have posted an informative and useful post.it will be really helpful to many peoples. thank you for sharing this blog.
    android training in chennai

    ReplyDelete
  4. hai i read your blog .it was great.Thank you so much for sharing your blog.Get more interesting details about.. Dot Net Training in Chennai
    Selenium Training in Chennai

    ReplyDelete
  5. The information shared are very much my sincere thank for sharing this post Please Continue to share this post
    Dot Net Training in Chennai

    ReplyDelete
  6. Thanks for sharing this informative post. I have read your blog which is very informative and useful to me. Keep posting. thank you...
    Android Training in Chennai | Software Testing Training in Chennai


    ReplyDelete
  7. This is a great post. I like this topic.This site has lots of advantage.I found many interesting things from this site. It helps me in many ways.Thanks for posting this again.I really like this topic.
    Selenium Training in Chennai
    Selenium Training Course in Chennai

    ReplyDelete
  8. Thank you for taking the time to provide us with your valuable information.keep posting... Selenium Training Institute in Chennai | Selenium Training Institute in Velachery

    ReplyDelete
  9. This is an awesome motivating article.I am practically satisfied with your great work.You put truly extremely supportive data. Keep it up. Continue blogging. Hoping to perusing your next post yt to mp3

    ReplyDelete
  10. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article instagram online web viewer

    ReplyDelete
  11. Cool stuff you have and you keep overhaul every one of us instagram online

    ReplyDelete
  12. The information shared are very much my sincere thank for sharing this post Please Continue to share this post Send Flowers To CAMBODIA

    ReplyDelete
  13. The information shared are very much my sincere thank for sharing this post Please Continue to share this post
    Gifts To pakistan

    ReplyDelete
  14. Pretty post, Useful resources about Android, Thanks for sharing an innovative idea, It is useful information for beginners to Start a career in Android developer, Start to Learn Android course.

    ReplyDelete
  15. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    Austere Technologies | Best Cloud Solution services

    ReplyDelete
  16. It was so good to read and useful to improve my knowledge as updated one.Thanks to Sharing.

    UNIX Shell scripting training in chennai|ORACLE apps finance training in chennai

    ReplyDelete
  17. wow...nice blog, very help full information. Thanks for sharing.

    NO.1 APP DEVELOPMENT SERVICES | MASSIL TECHNOLOGIES

    ReplyDelete
  18. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    CLOUD SERVICES | MASSIL TECHNOLOGIES

    ReplyDelete
  19. INTERESTING ARTICLE ABOUT .NET. GOOD INFORMATION. THANKS FOR SHARING.

    NO.1 IOT Services | INTERNET OF THINGS

    ReplyDelete
  20. wow really superb you had posted one nice information through this. Definitely it will be useful for many others. So please keep update like this.If we find how to steal, then we avoid our info steallings

    Mainframe Training In Chennai | Informatica Training In Chennai | Hadoop Training In Chennai | Sap MM Training In Chennai | ETL Testing Training In Chennai


    ReplyDelete
  21. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book ANDAMAN HOLIDAY PACKAGES @ 35999

    ReplyDelete
  22. Excellent informative blog, Thanks for sharing.
    Web Design Training

    ReplyDelete
  23. This comment has been removed by the author.

    ReplyDelete
  24. This comment has been removed by the author.

    ReplyDelete
  25. Thanks for the nice information and also it's very inspirational and Thanks for the detailed explanation. Really useful. Keep sharing more. Regards. Click Here for Commerce College in Hyderabad

    ReplyDelete
  26. Your blog is really useful for me. Thanks for sharing this useful blog..thanks for your knwoledge share ... superb article ... searching for this content.for so long.
    AWS Training Institute in Chennai | AWS Certification Training in Velachery | AWS Exam Center in Chennai | AWS Online Exams in Chennai

    ReplyDelete
  27. Your blog is very useful for me,thanks for sharing such a wonderful post with useful information.keep updating..
    Python Training Center in Chennai | Python Certification Training in Chennai

    ReplyDelete
  28. Thanks for splitting your comprehension with us. It’s really useful to me & I hope it helps the people who in need of this vital information. 

    Selenium online training
    Ruby on Rails online training
    Big Data Analytics online training
    SQL online training
    PL/SQL online training

    ReplyDelete
  29. Really very nice blog information for this one and more technical skills are improve,i like that kind of post.
    Microsoft azure training in Bangalore
    unix shell scripting online training

    ReplyDelete
  30. put the luggage in the cars equipped and downloaded very carefully by specialists, and is placed in vehicles equipped very carefully with Be careful to put everything in its place, and rely on the best specialized drivers who can move the luggage, even if it is a very long distance will be done carefully and carefully; for this reason, when you communicate with a transport company from Jeddah to Syria You get better than you like.شركة نقل عفش
    شركة نقل اثاث من الرياض الى قطر
    شركة نقل عفش من الرياض الى قطر
    شركة نقل عفش بجدة

    ReplyDelete
  31. This comment has been removed by the author.

    ReplyDelete
  32. The outcome of this step represents the data that will be used for the purpose of training machine learning course in hyderabad

    ReplyDelete
  33. Excellent informative work keep sharing like this blog it is realy useful.
    https://www.acte.in/reviews-complaints-testimonials
    https://www.acte.in/velachery-reviews
    https://www.acte.in/tambaram-reviews
    https://www.acte.in/anna-nagar-reviews
    https://www.acte.in/porur-reviews
    https://www.acte.in/omr-reviews
    https://www.acte.in/blog/acte-student-reviews

    ReplyDelete
  34. Dekoracy.pk is a second generation, family owned bedding solution company for B2C as well as B2B customers. We are the inventive brand that accredits you to buy Online Our Blankets, Quilts & Bed Sheets in Pakistan.

    ReplyDelete
  35. Wow what a Great Information about World Day its exceptionally pleasant educational post. a debt of gratitude is in order for the post.
    data science course in India

    ReplyDelete
  36. This is a fabulous post I seen because of offer it. It is really what I expected to see trust in future you will continue in sharing such a mind boggling post
    business analytics course

    ReplyDelete
  37. Useful blog.Thanks for spending time to share this informative post to us.
    Java Tutorial
    python interview questions and answers

    ReplyDelete
  38. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work


    Best Data Science courses in Hyderabad

    ReplyDelete
  39. I seriously love your site.. Very nice colors & theme. Did you create this site yourself? Please reply back as I’m trying to create my very own site and would like to learn where you got this from or exactly what the theme is named. Many thanks...

    DevOps Training in Hyderabad

    ReplyDelete
  40. Your blog is filled with unique good articles! I was impressed how well you express your thoughts. You have a communicable and well-articulated writings . I enjoyed reading all of them.
    AWS Training in Hyderabad
    AWS Course in Hyderabad

    ReplyDelete
  41. This post is good enough to make somebody understand this amazing thing, and I’m sure everyone will appreciate this interesting things.Alcohol addiction treatment centers in California

    ReplyDelete
  42. Hi, Thanks for sharing nice articles...

    Road Work

    ReplyDelete
  43. Digital Marketing Institute
    Best Digital Marketing Training Institute in Delhi and Kalkaji
    IFDA Institute is India's No 1 Digital Marketing Institute
    hurry now Create Your Future in Digital Marketing now

    ReplyDelete
  44. C Language Course
    IFDA is India's No 1 C Language Institute in Dellhi
    IFDA is Located in Delhi, Kalkaji and Badarpur
    IFDA Offer's Wide Range of Professional Courses Online and Offline Classes Available

    ReplyDelete
  45. Really enjoyed reading this blog https://giftingexpressions.com Hope to see more from you in future

    ReplyDelete
  46. You have to learn all the required skills to transform raw data into a form that will improve the organization.
    data science training in borivali

    ReplyDelete
  47. I really appreciate the great information you gave me in this wonderful and wonderful piece of writing.

    Uwatchfreemovies
    Turkish series

    ReplyDelete
  48. Robot Framework is an open-source framework for automated testing used in acceptance testing and test-driven development. The writing of test cases adheres to many test case report approaches, including keyword-driven, behaviour-driven, and data-driven. .To know more about robot frameworks join Robot Framework Test Automation Training In Chennai at FITA Academy.
    Robot Framework Test Automation Training In Chennai

    ReplyDelete
  49. Thanks for sharing this article, it helps me to aquire some amount of knowledge
    sql server training in hyderabad

    ReplyDelete
  50. but I cannot assist with or provide guidance on any illegal activities, including stealing accounts or engaging in unauthorized activities. If you have any legitimate questions or need assistance with any other topic, I'll be happy to help. Best AC Repair in Sharjah

    ReplyDelete
  51. Direct UK Pills: Your One-Stop Destination for Quality Medications and Sleep Solutions

    Introduction

    In today's fast-paced world, where stress and anxiety are rampant, getting a good night's sleep and managing pain or anxiety can be a read more challenging task. Many individuals turn to medications to help them find relief and relaxation. If you're searching for a reliable source of UK sleeping pills and pain and anxiety relief medications, look no further than Direct UK Pills.

    Direct UK Pills is your trusted online pharmacy, offering a wide range of medications, including Diazepam, Zopiclone, Dihydrocodeine, Codeine, and Pregabalin, all available without the need for a prescription. In this article, we'll delve into why Direct UK Pills is your best choice for purchasing these medications and how they can improve your overall well-being.

    High-Quality Medications

    When it comes to your health, quality should always be a top priority. Direct UK Pills understands this and takes pride in sourcing and supplying only the highest quality medications. Whether you're looking for sleep aids like Zopiclone or pain relief options like Dihydrocodeine, you can trust that the products available on Direct UK Pills are genuine and effective.

    Convenience and Accessibility

    One of the primary advantages of choosing Direct UK Pills is the convenience and accessibility it offers. Gone are the days of long waits at the doctor's office or pharmacy. With Direct UK Pills, you can order the medications you need from the comfort of your home or office. This online platform is user-friendly and secure, ensuring that your personal information remains confidential.

    No Prescription Needed

    Direct UK Pills recognizes that accessing essential medications should be hassle-free. That's why they offer a wide selection of medications without requiring a prescription. This approach allows individuals to get the treatment they need quickly and without unnecessary bureaucratic hurdles.

    Wide Range of Medications

    Direct UK Pills stands out for its extensive range of medications, catering to various health needs. Whether you're struggling with insomnia, anxiety, or pain, you'll find the right medication to address your concerns. Some of the popular medications available include Diazepam for anxiety, Zopiclone for insomnia, and Dihydrocodeine for pain relief.

    Tracked Delivery

    Your health is Direct UK Pills' top priority. They offer a tracked delivery service to ensure that your medications reach you safely and on time. This feature gives you peace of mind, knowing that your order is in safe hands from the moment you make your purchase until it arrives at your doorstep.

    Competitive Prices

    Direct UK Pills understands that healthcare can be expensive, and they aim to make quality medications accessible to everyone. They offer competitive prices without compromising on the quality of their products, ensuring that you get the best value for your money.

    Conclusion

    If you're seeking high-quality UK sleeping pills, pain relief, or anxiety medications, Direct UK Pills is your go-to online pharmacy. Their commitment to providing convenient access to genuine medications without the need for a prescription sets them apart from the rest. With a wide range of medications, tracked delivery, and competitive prices, Direct UK Pills ensures that your health and well-being are their top priorities.

    ReplyDelete
  52. Nice blog good explanation about .Net thanks for sharing keep posting
    Power BI training institute in KPHB, and software training

    ReplyDelete
  53. This comment has been removed by the author.

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts