If You have mobile device, that use Android, you surely somehow familiar with Google Play. If not – visit it at https://play.google.com
Android-based mobile devices by default require account in Google Play to updates, software installation whatever. So, You obviously have Gmail account [Your email address, actually], that You use to authenticate here. And password is saved in Your mobile. And it [mobile device] always connected to Google Play.
But, as always, there are interesting features that we can exploit :))
Let’s see: You can browse from Your computer to play.google.com, authenticate with Your gmail account, choose any app You need and install it… on Your mobile device. 🙂
So I log in, get to Google Play, choose Talking Tom Free 2 and press Install button.
Have to mention, that I have here detailed info about all mobile devices connected to this account. )
And here we are:
So – it sent to device…
How can we verify that application is successfully installed?
Same place – Google Play! 🙂
As You may see, after few secs – INSTALLED :))
Now, how we see it from mobile?
Actually, almost nothing…
Here is phase 1:
After few seconds – phase 2:
Once and disappear.
Now – You can see only small Bag icon in top toolbar, like here
And here is software installed:
Perfect, handy and very, very useful!
Now, how malicious can it be?
Nowadays, we face regular DB dumps. Since Gmail is one of major email service providers, amount of Gmail accounts is significant.
In addition – Google Play is known place for malicious apps to be found recently. It’s not something planned intentionally, but this is fact of our life. Unfortunately. Now, if You looking for ways to monetize the dump You have, You simple can try Google Play. How?
It fairly simple: log in to account, go to Google Play, install malicious app, go on. If we talking about making money – it can be just trial “Google Antivirus” app that will require to buy itself. Not talking about multiple tech possibilities to exploit, when You have such a tool for remote install on Your mobile device.. Address book? Email accounts or various sites creds with mobile support? Private media data (one already got 150 k$ fain and 5 years in jail for Scarlett Johansson, was it Android? )?
If targeted attack – your email can be reached many ways, password to it can be reached from multiple places too (who use different pass for each place? :)) Then – procedure is simple as well – install, run, enjoy.
In addition – attacker can:
- Review mobile devices that currently associated with Gmail account
- View installed apps
- Get details of usage, installs, updates etc.
- Get Android Backup data from embedded backup service[?]
p.s. Google received this announce and not rated it as something that can be concerned as security problem. Currently, you have no option to disable automatic remote installation of software on Your mobile.So – always review logs, keep Your password for Gmail safe and don’t run unknown links on Your mobile too.
Actually, there is an option in Google Play application Settings, that looks useful:
Google Play – Settings – User Controls – Use PIN for purchases
But checked it or not – You still able to install\uninstall apps via Google Play site.