Android continues to prove irresistible to the hacker community, which seems intent on finding ever newer, more innovative ways to exploit security holes in the open source mobile platform. Now a new threat to Android may be on the horizon: A pair of security researchers are planning to make public next month a modular, open source framework called AFE (Android Framework for Exploitation) that bad guys can use to build and tailor Android malware to suit their tastes.
The creators of AFE, Aditya Gupta and Subho Halder, are self-described white hats who specialize in mobile security. The duo describe AFE as a superior alternative to the old-school way of creating Android malware, which entails "taking a legitimate app, decompiling it, using either apktool or dex2jar & jd-gui, inserting our codes, repackaging it," then duping users to download it -- possibly via the arguably insecure Android Marketplace, which permits developers to upload apps anonymously.
With AFE, according to the duo's description, a hacker can quickly cobble together malware capable of at least 20 different feats, including retrieving a user's call logs, contact information, and the content of his or her mailbox; swiping SD card contents; sending text messages; viewing browsing habits; recording phone conversations; capturing images with the affected device's camera; running root exploits; accessing the device's GPS location; and remotely dialing any number from the hijacked device.
In addition, the duo have created templates to mask the malware as legitimate apps such as File Explorer, Tic Tac Toe, and a jokes app. Users of the framework can add their own.
"For a basic effort at writing malware, that's not even really trying hard, you can make $10,000 a month," Gupta told SC Magazine. "You get more when you distribute this malware to the contact lists and [build botnets]."
Those profits could come from serving up ads to users through the malicious applications, for example, or by programming the exploited Android device to dial premium phone numbers.
This AFE doesn't bode well for Android, which security researchers at Black Hat Europe deemed "the most preferable smartphone OS to target." Much of that has to do with the fact that Google charges just $25 to register for the Google Play (the Android application marketplace), compared to $99 for the Apple App Store, plus developers are allowed to remain anonymous. What's more, Apple has garnered a reputation for doing a better job of monitoring the contents of its app store. In February, Google implemented a feature called Bouncer, designed to scan apps for malicious code. But a presenter at Black Hat last month demonstrated how Bouncer could be defeated.
Google has serious kinks to work out in its Android ecosystem, from the delayed distribution of critical patches to better monitoring and securing the Android application store. The company is already seeing more enterprise developers move to iOS, and losing the lucrative business user market has to hurt.
Gupta and Halder will demonstrate their framework at ToorCamp -- "the American hacker camp" -- in Washington state this month and at NullCon in Delhi next month.
Sign up for CIO Asia eNewsletters.