Disclaimer

Any opinions expressed here are my own and not necessarily those of my employer (I'm self-employed).

Feb 6, 2011

Steal a Google account and get a free OTP device!

I just read an interesting article on the Naked Security blog: New Android Market web store could open backdoor for phone hackers. Turns out, you can trigger installation of applications from the store and the installation procedure will silently complete on the Android phone. This could be a cool feature — but it comes with severe security implications for login procedures relying on mobile phones.

Authentication basics
To quickly lay the groundwork: Traditional two-factor authentication relies on two elements during a login procedure, you have to present "something you know" and "something you have". A convenient and cost effective approach has been to use a password as the "know" element and a user's mobile phone as the "have" element, by e.g. sending a one time password (OTP) by SMS when the user is logging into a website. You've then verified that the person logging in knows the user's password and also possesses the user's cell phone. This increases confidence that the correct person is logging in.

Websites can leverage the benefits of two-factor authentication with mobile phones to reduce risk associated with virus infected PC's and password compromises. Google has a great explanation of the feature in their blog. However, Google is far from alone in launching this security measure, in fact there are online banks who have had such login procedures in place for several years. Just for the record.

Where it goes wrong
We've already seen malicious Android apps — if you steal a Google account you could silently install an application to steal SMSs on the mobile phone. Google has made the "something you know" element the key to gain control over the "something you have" element, reducing the authentication scheme to a traditional single password scheme. As Google, for now, primarily lets users log in with a static password they did not shoot themselves in the foot with the new store. It's everyone else relying on two-factor authentication with mobile phones who lost something here. Suddenly the security of an Android phone is dependent on the security of a Google account, which in turn reduces security for everyone else to single-factor authentication. In short, if a Trojan steals your banking password, it might as well steal your Google account and install malicious software on your Android phone to steal your banking SMSs.

But does Google realize what they've done? An online newspaper who picked up the story, quotes a Google representative saying that
...this theoretical attack presupposes a compromised Google account...
Compromised Google accounts are far from theoretical. Off-the-shelf Trojans, such as the Zeus/Zbot, can easily be set up to steal Google account passwords. If we look at where Zeus is heading, it's apparent that Google's automatic application installation constitutes a massive security risk. New Zeus variants try to infect online banking customers' mobile phones, in order to steal their authorization codes received by SMS. With Google's new store, there's no need to trick the user into installing a mobile Trojan. The Trojan can easily steal the user's Google account and install the application silently. It is reasonable to assume that this approach will make it a lot easier for the Zeus mobile attack to scale, as today's approach depends on a manual step — requiring the user to confirm the installation of mobile malware.

But can it be done? It seems that the android-smspopup project covers the functionality needed. I also guess Google has documented the permission system well enough to start stealing SMS messages. Google needs to rethink the app store installation strategy, so as to not instantly kill Android phones as "security" devices.

How to fix it
Google should consider some design changes to their application installation procedure. An important countermeasure is mentioned on the Naked Security blog, a dialog should be shown on the device before application installation proceeds. I might add, it is utmost important that the dialog shows key information about the application, especially the permissions granted. It should also clearly state that installation should be denied unless the user herself triggered it from the store.

Another countermeasure is mentioned too, a strong password. For the Trojan scenario I've discussed here, the strength of your password is irrelevant. A Trojan will read a strong password just as easily as a weak password as you type it in.

To further raise the bar for automated installs of Andorid malware, they could consider using their two-factor authentication procedure (mentioned on their blog) to trigger application installation from the store. At least, they should keep this as a countermeasure in their toolbox so they can swiftly enable it if faced with a serious attack.

154 comments:

  1. At https://nerdymates.com/ you can read best and the most interesting articles on related thematic.

    ReplyDelete
  2. WOW!!!
    Thanks for your informative blog!!! Your article helped me to understand the future of .net programming language. Keep on updating your with such awesome information.


    dot net training in chennai

    ReplyDelete
  3. really you have posted an informative and useful post.it will be really helpful to many peoples. thank you for sharing this blog.
    android training in chennai

    ReplyDelete
  4. hai i read your blog .it was great.Thank you so much for sharing your blog.Get more interesting details about.. Dot Net Training in Chennai
    Selenium Training in Chennai

    ReplyDelete
  5. The information shared are very much my sincere thank for sharing this post Please Continue to share this post
    Dot Net Training in Chennai

    ReplyDelete
  6. nice blog has been shared by you. before i read this blog i didn't have any knowledge about this but now i got some knowledge. so keep on sharing such kind of an interesting blogs.
    dot net training in chennai

    ReplyDelete
  7. Thanks for sharing this informative post. I have read your blog which is very informative and useful to me. Keep posting. thank you...
    Android Training in Chennai | Software Testing Training in Chennai


    ReplyDelete
  8. This is a great post. I like this topic.This site has lots of advantage.I found many interesting things from this site. It helps me in many ways.Thanks for posting this again.I really like this topic.
    Selenium Training in Chennai
    Selenium Training Course in Chennai

    ReplyDelete
  9. Thank you for taking the time to provide us with your valuable information.keep posting... Selenium Training Institute in Chennai | Selenium Training Institute in Velachery

    ReplyDelete
  10. This is an awesome motivating article.I am practically satisfied with your great work.You put truly extremely supportive data. Keep it up. Continue blogging. Hoping to perusing your next post yt to mp3

    ReplyDelete
  11. Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article instagram online web viewer

    ReplyDelete
  12. Cool stuff you have and you keep overhaul every one of us instagram online

    ReplyDelete
  13. The information shared are very much my sincere thank for sharing this post Please Continue to share this post Send Flowers To CAMBODIA

    ReplyDelete
  14. Wonderful, what a we blog it is! This website presents helpful information to us, keep it up. Send Gifts To Pakistan

    ReplyDelete
  15. The information shared are very much my sincere thank for sharing this post Please Continue to share this post
    Gifts To pakistan

    ReplyDelete
  16. Pretty post, Useful resources about Android, Thanks for sharing an innovative idea, It is useful information for beginners to Start a career in Android developer, Start to Learn Android course.

    ReplyDelete
  17. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    Austere Technologies | Best Cloud Solution services

    ReplyDelete
  18. It was so good to read and useful to improve my knowledge as updated one.Thanks to Sharing.

    UNIX Shell scripting training in chennai|ORACLE apps finance training in chennai

    ReplyDelete
  19. wow...nice blog, very help full information. Thanks for sharing.

    NO.1 APP DEVELOPMENT SERVICES | MASSIL TECHNOLOGIES

    ReplyDelete
  20. Very good informative article. Thanks for sharing such nice article, keep on up dating such good articles.

    CLOUD SERVICES | MASSIL TECHNOLOGIES

    ReplyDelete
  21. INTERESTING ARTICLE ABOUT .NET. GOOD INFORMATION. THANKS FOR SHARING.

    NO.1 IOT Services | INTERNET OF THINGS

    ReplyDelete
  22. REALLY VERY EXCELLENT INFORMATION. I AM VERY GLAD TO SEE YOUR BLOG FOR THIS INFORMATION. THANKS FOR SHARING. KEEP UPDATING.

    NO.1 Mobile APPilication DEVELOPMENT SERVICES | MASSIL TECHNOLOGIES

    ReplyDelete
  23. wow really superb you had posted one nice information through this. Definitely it will be useful for many others. So please keep update like this.If we find how to steal, then we avoid our info steallings

    Mainframe Training In Chennai | Informatica Training In Chennai | Hadoop Training In Chennai | Sap MM Training In Chennai | ETL Testing Training In Chennai


    ReplyDelete
  24. Hi Thanks for the nice information its very useful to read your blog. We provide best Block Chain Services

    ReplyDelete
  25. Thank you for sharing this valuable information. But get out of this busy life and find some peace with a beautiful trip book best Andaman honeymoon packages

    ReplyDelete
  26. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book ANDAMAN HOLIDAY PACKAGES @ 35999

    ReplyDelete
  27. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book CHEAP ANDAMAN PACKAGES @9999

    ReplyDelete
  28. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book Andaman Tourism

    ReplyDelete
  29. Thank you for sharing this valuable information. But get out this busy life and find some peace with a beautiful trip. book Best Travel Agency In India

    ReplyDelete
  30. Hi Thanks for the nice information its very useful to read your blog. We provide About Best Software Development Services

    ReplyDelete
  31. Hi Thanks for the nice information its very useful to read your blog. We provide best Find All Isfs Courses

    ReplyDelete
  32. Excellent informative blog, Thanks for sharing.
    Web Design Training

    ReplyDelete
  33. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
    PHP interview questions and answers | PHP interview questions | PHP interview questions for freshers | PHP interview questions and answers for freshers | php interview questions and answers for experienced | php viva questions and answers | php based interview questions

    ReplyDelete
  34. This comment has been removed by the author.

    ReplyDelete
  35. This comment has been removed by the author.

    ReplyDelete
  36. Thanks for the nice information and also it's very inspirational and Thanks for the detailed explanation. Really useful. Keep sharing more. Regards. Click Here for Commerce College in Hyderabad

    ReplyDelete
  37. Wow...What an excellent informative blog, really helpful. Thank you. Best Oracle DBA Course training| orskl

    ReplyDelete
  38. Your blog is really useful for me. Thanks for sharing this useful blog..thanks for your knwoledge share ... superb article ... searching for this content.for so long.
    AWS Training Institute in Chennai | AWS Certification Training in Velachery | AWS Exam Center in Chennai | AWS Online Exams in Chennai

    ReplyDelete
  39. Your blog is very useful for me,thanks for sharing such a wonderful post with useful information.keep updating..
    Python Training Center in Chennai | Python Certification Training in Chennai

    ReplyDelete
  40. Thanks for splitting your comprehension with us. It’s really useful to me & I hope it helps the people who in need of this vital information. 

    Selenium online training
    Ruby on Rails online training
    Big Data Analytics online training
    SQL online training
    PL/SQL online training

    ReplyDelete
  41. Really very nice blog information for this one and more technical skills are improve,i like that kind of post.
    Microsoft azure training in Bangalore
    unix shell scripting online training

    ReplyDelete
  42. put the luggage in the cars equipped and downloaded very carefully by specialists, and is placed in vehicles equipped very carefully with Be careful to put everything in its place, and rely on the best specialized drivers who can move the luggage, even if it is a very long distance will be done carefully and carefully; for this reason, when you communicate with a transport company from Jeddah to Syria You get better than you like.شركة نقل عفش
    شركة نقل اثاث من الرياض الى قطر
    شركة نقل عفش من الرياض الى قطر
    شركة نقل عفش بجدة

    ReplyDelete
  43. I am glad that I saw this post. It is informative blog for us and we need this type of blog thanks for share this blog, Keep posting such instructional blogs and I am looking forward for your future posts.
    Cyber Security Projects for Final Year

    JavaScript Training in Chennai

    Project Centers in Chennai

    JavaScript Training in Chennai

    ReplyDelete
  44. This comment has been removed by the author.

    ReplyDelete
  45. Hi, your article was of great help. I loved the way you shared the information, thanks.
    Amazing article, I highly appreciate your efforts, it was highly helpful. Thank you CEH Training ,CEH Certification, CEH Online Course, Ethicalhacking

    ReplyDelete
  46. Hi, This is your awesome article , I appreciate your effort, thanks for sharing us.
    cism training
    cism certification

    cisa training,
    cisa certification
    cisa exam

    ReplyDelete
  47. No one can deny the fact that search engine optimization drives visitors for your website. You will be deeply surprised by the results of SEO. For this reason, our SEO Agency in Chennai can provide you with all the needed skills to boost your website visibility in the top of search engine results. Therefore, if you are looking for a Best SEO Agency in Chennai we are there to help you.

    ReplyDelete
  48. Architectural science coursework writing help services have become very popular for students studying architectural science assignment writing services as they engage the best online Architectural Science Writing Services.

    ReplyDelete
  49. If you are looking for high quality Good morning images with love birds, you can visit our website Daily Image Funda and download for free.

    ReplyDelete
  50. The outcome of this step represents the data that will be used for the purpose of training machine learning course in hyderabad

    ReplyDelete
  51. Excellent informative work keep sharing like this blog it is realy useful.
    https://www.acte.in/reviews-complaints-testimonials
    https://www.acte.in/velachery-reviews
    https://www.acte.in/tambaram-reviews
    https://www.acte.in/anna-nagar-reviews
    https://www.acte.in/porur-reviews
    https://www.acte.in/omr-reviews
    https://www.acte.in/blog/acte-student-reviews

    ReplyDelete
  52. Very informative post! There is a lot of information here that can help any business get started with a successful social networking campaign.
    IELTS Coaching in chennai

    German Classes in Chennai

    GRE Coaching Classes in Chennai

    TOEFL Coaching in Chennai

    spoken english classes in chennai | Communication training


    ReplyDelete
  53. If you are unable to finish your Biology assignment, get intouch with our Biology Essay Writing Services Our expert writers are ready to offer you Biology Research Writing Services As well as any Custom Essay Writing Services that are above your expectations.

    ReplyDelete
  54. Dekoracy.pk is a second generation, family owned bedding solution company for B2C as well as B2B customers. We are the inventive brand that accredits you to buy Online Our Blankets, Quilts & Bed Sheets in Pakistan.

    ReplyDelete
  55. Wow what a Great Information about World Day its exceptionally pleasant educational post. a debt of gratitude is in order for the post.
    data science course in India

    ReplyDelete
  56. This is a fabulous post I seen because of offer it. It is really what I expected to see trust in future you will continue in sharing such a mind boggling post
    business analytics course

    ReplyDelete
  57. Thanks for Sharing a Very Informative Post & I read Your Article & I must say that is very helpful post for us.
    Data Science
    Selenium
    ETL Testing
    AWS
    Python Online Classes

    ReplyDelete
  58. I have bookmarked your site since this site contains important data in it. I am truly content with articles quality and introduction. Much obliged for keeping extraordinary stuff. I am a lot of grateful for this site.
    data scientist course

    ReplyDelete
  59. I find your opinion quite interesting, but the other day I stumbled upon a completely different advice from another blogger, I need to think that one through, thanks for posting.
    360DigiTMG certification on data analytics

    ReplyDelete
  60. Thanks for posting the best information and the blog is very informative.Data science course in Faridabad

    ReplyDelete
  61. Useful blog.Thanks for spending time to share this informative post to us.
    Java Tutorial
    python interview questions and answers

    ReplyDelete
  62. i am glad to discover this page : i have to thank you for the time i spent on this especially great reading !! i really liked each part and also bookmarked you for new information on your site.
    best data science courses in bangalore

    ReplyDelete
  63. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. Great work


    Best Data Science courses in Hyderabad

    ReplyDelete
  64. I seriously love your site.. Very nice colors & theme. Did you create this site yourself? Please reply back as I’m trying to create my very own site and would like to learn where you got this from or exactly what the theme is named. Many thanks...

    DevOps Training in Hyderabad

    ReplyDelete
  65. Thank you for posting such a great article! It contains wonderful and helpful posts, so keep up the good work!
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete
  66. I’m a huge fan of informative blogs because they help us become more knowledgeable about the goings-on in the world around us. Please keep writing articles like this. I really enjoy them and feel smarter every time I read one.
    Data Science Training in Hyderabad
    Data Science Course in Hyderabad

    ReplyDelete
  67. Your blog is filled with unique good articles! I was impressed how well you express your thoughts. You have a communicable and well-articulated writings . I enjoyed reading all of them.
    AWS Training in Hyderabad
    AWS Course in Hyderabad

    ReplyDelete
  68. This post is good enough to make somebody understand this amazing thing, and I’m sure everyone will appreciate this interesting things.Alcohol addiction treatment centers in California

    ReplyDelete
  69. Hi, Thanks for sharing nice articles...

    Road Work

    ReplyDelete

  70. This post is so interactive and informative.keep update more information...
    ccna Training in Tambaram
    ccna course in Chennai

    ReplyDelete
  71. Digital Marketing Institute
    Best Digital Marketing Training Institute in Delhi and Kalkaji
    IFDA Institute is India's No 1 Digital Marketing Institute
    hurry now Create Your Future in Digital Marketing now

    ReplyDelete
  72. C Language Course
    IFDA is India's No 1 C Language Institute in Dellhi
    IFDA is Located in Delhi, Kalkaji and Badarpur
    IFDA Offer's Wide Range of Professional Courses Online and Offline Classes Available

    ReplyDelete
  73. Really enjoyed reading this blog https://giftingexpressions.com Hope to see more from you in future

    ReplyDelete
  74. 에볼플레이 먹튀검증 안전노리터

    ReplyDelete
  75. You have to learn all the required skills to transform raw data into a form that will improve the organization.
    data science training in borivali

    ReplyDelete
  76. 뱃할맛이 나는곳 먹튀검증 안전한메이져

    ReplyDelete
  77. I really appreciate the great information you gave me in this wonderful and wonderful piece of writing.

    Uwatchfreemovies
    Turkish series

    ReplyDelete
  78. Robot Framework is an open-source framework for automated testing used in acceptance testing and test-driven development. The writing of test cases adheres to many test case report approaches, including keyword-driven, behaviour-driven, and data-driven. .To know more about robot frameworks join Robot Framework Test Automation Training In Chennai at FITA Academy.
    Robot Framework Test Automation Training In Chennai

    ReplyDelete
  79. Thanks for sharing this article, it helps me to aquire some amount of knowledge
    sql server training in hyderabad

    ReplyDelete
  80. but I cannot assist with or provide guidance on any illegal activities, including stealing accounts or engaging in unauthorized activities. If you have any legitimate questions or need assistance with any other topic, I'll be happy to help. Best AC Repair in Sharjah

    ReplyDelete

Copyright notice

© André N. Klingsheim and www.dotnetnoob.com, 2009-2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to André N. Klingsheim and www.dotnetnoob.com with appropriate and specific direction to the original content.

Read other popular posts