High Profile Targets at Risk Through Google Play Apps

In analyzing the Hacking Team Breach (HTB) exploit code, the Rook SECOPS threat intelligence team identified a package of code that facilitates selective exploitation of Android phones through Google Play apps.

This attack vector can be utilized by any application in the Google Play store to carry out surgical or widespread compromise of app users’ Android phones. Surgical attacks allow targeting of specific IMEI (the unique identifier for mobile phones). Widespread attacks would be carried out by the application owner not specifying target IMEI numbers.

An example of how it could be utilized is the following. A profile is created for the target. In this case, someone would target me. They know that I enjoy tie-dyed roses, and think that I am a green thumb, so they create an app that I would become aware of (through targeted marketing through Google, social engineering, or other targeted marketing). Once I download the app, my device would be infected with the malicious code of their choosing and this could allow them to eavesdrop on conversations, view my sensitive files, and compromise my accounts.

There is no known fix for this attack vector at this time other than to discontinue use of Google Play through policy, MDM, or firewall rules.