At the DEF CON security conference in Las Vegas, a security researcher revealed that hackers can acquire passwords from Android devices by taking advantage of an exploit in the "weblogin" one-click service. This typically generates a unique token stored on a device that saves the user's login information, preventing them from having to enter the data each time they use an app or website.
Craig Young, a researcher at security firm Tripwire, provided a proof-of-concept during his presentation that used a rogue app to steal weblogin tokens. This app could send stolen tokens back to the "hacker" who in turn could use them in a browser to impersonate the victim, accessing their gmail, Google Drive, Google Voice and other Google services.
Young said this app was designed to masquerade as a stock viewing app for Google Finance and was actually published on Google Play. When downloaded, it would ask for permission to locate the accounts on the device, and use those accounts to access the network. Once launched, the app would prompt the user again for permission to access a URL beginning with "weblogin" and included finance.google.com. He said most users likely accept a second request like this because it's "uninformative."
Once the user granted permission, the fake app would log into Google's financial site while also sending the token to the hacker via an encrypted connection. The problem, he said, is that the token doesn't merely work for Google Finance; it can be used across the entire Google portfolio of services. That includes accessing Google Play and remotely installing apps on the victim's devices, getting information from third-party websites via Google Federation Login, and Google Apps.
Young said that the app's listing on Google Play clearly stated that it was malicious and shouldn't be installed by users. However, it remained on Google Play for a good month, and was likely removed because someone reported it to Google. He said that there were no signs that it had been scanned by Bouncer, Google's built-in scanner that combs through Google Play for malicious apps. If it was scanned, then it wasn't tagged as malicious, he said.
Android's local app verification feature will now block Young's app as spyware. Meanwhile, Google was reportedly made aware of the exploit back in February. Since then has started blocking some of the things an attacker previously could perform such as using a token to access Google Takeout and download an entire dump of a Google Account.
"Today's presentation showed that with enough ingenuity and effort you can easily bypass apparently well protected systems," said Alexandru Catalin Cosoi, the chief security strategist at antivirus vendor Bitdefender.
He told The IDG News Service that users should be wary of apps that have permissions with the words "ID" and "weblogin" in them. IT administrators also serving as Google Apps admins shouldn't use Google accounts on their work-related Android devices.