Framework Shows Android Security Holes

Tuesday, August 7, 2012 @ 06:08 PM gHale


As if it wasn’t already abundantly clear, XYSEC Labs security experts developed the Android Framework for Exploitation (AFE), an open source project meant to demonstrate the existence of security holes in the popular mobile operating system.

The framework can easily create malware and botnets, find vulnerabilities, use exploits, gain access to apps, steal sensitive data, and execute arbitrary commands on infected devices, said researchers Aditya Gupta and Subho Halder.

RELATED STORIES
APT Targets Android
Apps Access Data Without Permission
Android OS: No Permissions Required
Platform-Specific Java Attack

“Most of the part of the framework has been built in Python, however there are other languages involved as well,” Gupta said.

“For the start, we have built some pre-defined templates, in which the malware services could be injected, and the apk would be built. We have kept in mind that, it should be easy to use. The user just needs to input his local IP, and the features he would like to have in his malware, and just build it. That’s it. No programming needed,” he said.

A wave of spam messages received by Android users started talk in the security community, many professional pointing the finger at the first-ever Android botnet.

It later turned out that it wasn’t the case, but with the Android Framework for Exploitation the experts want to demonstrate that an Android botnet is certainly possible.

AFE’s botnet module includes options that allow the malicious element to remain hidden from the victim, the capability of re-launching itself in case of a crash, and an automatic startup feature on device boot.

The project is open source because the experts want to allow other developers to pitch in their ideas and enhance AFE’s capabilities.

AFE is constantly undergoing improvement by Gupta and Halder, but after its public release in September, the experts are counting on the community’s support in making the framework as complex as possible.



Leave a Reply

You must be logged in to post a comment.