How worried should you be about the NSA’s plans to hijack Google Play (Project “IRRITANT HORN”)?

The Intercept reported that the NSA has or had plans for a man in the middle attack on app stores with the goal of swapping out apps for their “special version” while you download them. The article unfortunately doesn’t really give any details beyond the project being named “IRRITANT HORN” and (unsurprisingly) rather aims for political activists than terrorists (though, for the powers that be, that’s pretty much one and the same thing).

The first thing to understand about Android apps is that they are relatively easy to infect with malware. It doesn’t matter if they are open or closed source. As long as you only want your code to run piggyback and don’t need interaction with the official parts of the app, a malware infection can be done automatically and on the fly. The process works like this:

  1. Intercept the APK file in transit.
  2. Unpack the APK and patch your code into the DEX file.
  3. Replace the AndroidManifest.xml with a version that calls your code first (and after it finishes doing its thing, call the real app).
  4. Reassemble the APK and pass it on.

In reality, it is a bit more complicated than that (especially when signatures matter), but I’ll have to postpone the details for a bit, here. First we need to talk about potential targets (users and apps).

One thing that becomes immediately obvious from the (simplified) process outlined above is that automated infections are not suitable to be rolled out to the masses. While it may be technically possible, you are unlikely to be spreading malware for long without getting caught in the act if you try to reach everyone. The good news here is that while it is possible to patch any given APK file in transit, project “IRRITANT HORN” still is a targeted attack that only applies to persons of interest.

Not every app is a suitable carrier for NSA payload. In the very least, it needs to offer a backchannel for phoning home. That is, request network access permission. Unfortunately, most Android apps are ad supported and therefore naturally provide the means. Even more unfortunate, Google, in its infinite wisdom, decided that network access is something, the user does not need to be informed about any longer. To do anything useful, additional permissions (e.g. microphone access) are likely needed as well. Of course, if you are patching the APK anyways, you can also always add needed permissions, but it might be a bit suspicious if the downloaded copy of an app asks for something it is not officially suppose to do.

Up to this point we have been talking about a generic attack vector in which malicious code gets added on the fly to an arbitrary app. The advantage of this method is that you, the attacker, can easily get your code executed on the target’s device. This is great if you just want to plant a bug (e.g. use the microphone or camera for surveillance purposes). It doesn’t help much if you are after someone’s encrypted mails or chats or want to actively spread misinformation on the target’s behalf. In this case another attack vector would be to replace the mail client or messenger app with a your hacked version. This means significantly more work since it requires the attacking code to be customized to the targeted app. Such a thing can’t be done on the fly and it also can’t be done for any except the most popular apps.

The previous paragraph left out a lot of detail on purpose in order to establish a general idea who might get attacked and by what means. The interesting question now is: “How difficult would it be to swap out an APK download if the attacker had full control over of a network router between the targeted user and Play?”

Let’s start with the good news first. Play uses HTTPS encryption for all communication and all devices with the market client are sold with the correct public key already on them. This is where the story could end, but unfortunately our attacker is not a carrier, but the NSA, so we have to at least entertain the idea that Google’s private keys might have gotten compromised or might get compromised in the future. So, in the following, let’s assume that the NSA was able to manipulate traffic between Play and a given Android device. Where would this get them?

With Android, all apps need to be signed by the developer’s private key. If you are an app developer, this is a rather annoying requirement that complicates your build process, but it is meant to safe guard exactly against the problem at hand. The Android OS will not accept app updates if they do not carry the same signature as the current version. Consider the following scenario (an instance of the second attack vector outlined above): a government agency waltzes in Google’s office, presents a National Security Letter and demand that they push a backdoored update of the Firefox browser to a number of users. Google could then simply tell that agency that they don’t have Mozilla’s private keys, therefore can’t properly sign the APK and therefore the target devices would reject the malicious update. Quite clever, ey? Well, there are a few problems here:

  • The first installation of an app is never questioned. It is always considered legit, based on the assumption that an attacker can never know if or when a targeted user will install an app.
  • The whole thing is not thought through to the end as there is no infrastructure by which users could verify signatures.
  • Play can’t push updates with mismatching signatures, but it can remotely install and de-install software.
  • All Android versions older than Jelly Bean have a bug that allows for completely bypassing the signature check anyways.

Where does this leave us security wise? The “IRRITANT HORN” project is a target attack. If you are not politically active, influential or close to someone who is, than you will probably not come in direct contact with it. If you trust Google to have done their homework on protecting their keys, then there is little to fear (in the sense that you are sitting safely in your castle while the viking hordes are pillaging the countryside). Otherwise you might not want to connect your phone with Play and rather use an apk downloader to get apps through throw away accounts.

Posted in Security