'Celebgate' hackers plotted more thefts via Android Flappy Bird clone

News by Tim Ring

Researcher finds more attempts to steal private photos, while Symantec spots a botnet campaign to steal Apple account data.

In a bizarre righting of the balance between Apple and Android insecurity, it's emerged that the hackers who stole nude photos of more than 100 female celebrities from their Apple accounts, also conspired to filch more private pictures using an infected version of the Android-based Flappy Bird game.

Australian-born blogger and white-hat hacker Nic Cubrilovic revealed the plot in a 4 September tweet.

As Cubrilovic shows, a self-declared “genious” boasted on image-sharing site AnonIB

in late July that he had “modded” the popular Flappy Bird app to secretly download all of the phone's pictures while the owner unknowingly played the game. “Note: this app will only work for Android,” he said.

But the perpetrator was reluctant to upload the infected game, saying: “The problem is this – it's a violation of google play developers licence to publish sneaky apps like that, and I REFUSE to risk my licence over it.”

He asks for money to set up a second account and promises to “post any wins [stolen photos] obtained in this thread”.

The posts highlight the extent of the threat from hackers trying to steal private photos from mobile devices.

They also provide a breathing space for Apple whose share price was hit and who may face legal action after last week's 'Celebgate' – the leaking of nude photos of more than 100 Hollywood actresses and other celebrities stored on Apple's iCloud service.

The victims include ‘Hunger Games' actress Jennifer Lawrence, ‘Downton Abbey' actress Jessica Brown Findlay, and models Cara Delevigne and Kate Upton.

The pictures were dumped on AnonIB and its sister site, 4Chan, and the leaks – now being investigated by the FBI - were blamed on hackers using brute-force attacks to crack the victims' Apple account passwords, and possibly exploiting gaps in Apple's two-factor authentication (2FA) security.

Late last week Apple CEO Tim Cook promised reforms, including more consistent 2FA and alerts to tell users whenever their Apple account password is changed, when a device logs into an account for the first time, or when iCloud data is restored to a new device.

And with the focus now switching to Android insecurity, industry expert James Lyne, head of research at Sophos, says that while both iPhones and Androids are showing weaknesses, Apple holds an apparent advantage in security terms.

Lyne told SCMagazineUK.com via email: “iPhones running iOS have a reputation for more robust security than Android, which given the presence of over 350,000 pieces of malware for Android and a tiny number for iOS is a pretty fair reputation.

“At the core of iOS defence against malware is the fact that apps are only distributed via the AppStore, with the ability for Apple to revoke any application (even after deployment), if it is found to be negative in some way.

“The Android application system by comparison is less mature and has been a breeding ground for malicious application clones such as this. Of course, Apple is not immune; the recent celebrity hacks demonstrate that you can attack other infrastructure surrounding the device such as the cloud-based backups of data.”

Lyne added: “This attack takes advantage of the fact that users never read warnings and simply click ‘OK' when an application installs and requests permission to access specific data.

“In this case the application will overtly ask the user for access to the data and just about every user out there will click OK. It is no high-tech hack, no super unblockable über exploit, but just asks users nicely to hand over their data. In some ways that makes it rather comparable to the Apple attack in technical complexity.”

Also commenting on the Flappy Bird plot, security expert and blogger Graham Cluley said: “The problem is, of course, that firstly Google doesn't police its app store anything like as strongly as Apple, but also that users are all too willing to grant permission to their Android apps to access all manner of parts of their smartphone without questioning if it's appropriate for a game to – say – send SMS message or (in this scenario) access your photographs.”

Meanwhile, security firm Symantec has warned that a major botnet campaign has begun against Apple customers – possibly playing on the fears raised by ‘Celebgate' and exploiting the two-week gap until Apple implements the improvements promised by Cook.

In a 5 September blog, Symantec says the campaign, to capture Apple IDs and passwords, has been launched using the Kelihos botnet. The spam messages purport to come from Apple and tell users their iTunes account has been accessed from an address in Russia, to try to lure them to click on the link provided and “check their Apple ID”.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews