In late May 2016, the U.S. Department of Defense (DoD) released an advisory
to their armed services and civilian workforce warning about an Android app called “CAC Scan,” which was found publicly available on the Google Play market.
A Common Access Card (CAC) is the standard identification card for DoD personnel, providing users with physical access to buildings and authentication to computer networks and systems. The CAC Scan app — which has since been removed from the U.S. Google Play storefront (it is unclear whether Google or the developer removed it) — claimed to “scan the front of a CAC to get the cardholder’s first name, last name, middle initial, rank, full social security number, and [DoD ID].” The DoD’s response in the advisory was deservedly blunt:
The DoD advisory went so far as to point out one of those “disturbing implications”:
Behavior such as this (e.g., transmission of CAC data to a remote system) would almost certainly point to malicious intent. Given this possibility, we felt it necessary to investigate this app more deeply.
A closer look at the app
Lookout first acquired the CAC Scan app (Android package name “com.armyapps.cacscan”) in early May 2016. Our automated systems analyzed it and found that it did not execute any malicious behavior. Additional analysis (including a detailed manual teardown) confirmed that the app does not contain any malicious behavior. In fact, the app is deceptively simple and contains very little code. It uses nothing but a single Activity component, which represents one user interface page in an Android app. While not immediately malicious, the app still presents some significant risk to the DoD and all CAC cardholders. Its functionality allows anyone with the app to compromise sensitive personally identifiable information (PII).
What it does and how it works
To scan a CAC, the user presses a “camera” button in the CAC Scan app to launch a separate third-party barcode scanner app, called “Barcode Scanner” (more on this later). Barcode Scanner is configured to read the 2D-barcode
on the front face of a CAC. When a barcode is scanned, the scanner app sends the decoded contents of the barcode back to the CAC Scan app, which simply parses the results and displays them on a simplistic user interface.
Interestingly, the CAC Scan app does not perform any sanity checking on the barcode data it receives from Barcode Scanner, which results in frequent crashes in the results parsing code when scanning non-CAC 2D barcodes. The “CAC” value displayed as the “ID Type” in the app is a hardcoded string rather than a value derived and validated from the Barcode Scanner results.
Our analysis confirmed the warnings in the DoD advisory that this app does accurately decode sensitive PII from the CAC. This includes the stored Social Security Number, which we recently learned isn’t scheduled to be completely phased out
of CAC barcodes until June 2022. However, since the app does not attempt to exfiltrate or otherwise misuse the CAC data it receives, Lookout does not classify it as malware.
Risky apps: Going beyond malware
The CAC Scan app epitomizes the idea that mobile security needs to go beyond malware detection. For example, while an app itself may not be malicious, its presence among a particular workforce’s fleet of devices could represent a critical risk to the enterprise. In the case of the CAC Scan app, the DoD correctly identifies it as a serious risk within its workforce; in particular, their assessment points to the “insider threat”:
Given the high resolution of modern smartphone cameras and the relative ease with which one can capture barcode data using readily available apps, the insider threat case is a legitimate concern. However, our analysis revealed an additional threat which may easily be overlooked.
One more thing
As mentioned earlier, the act of scanning a CAC barcode is handled by a separate third-party app called Barcode Scanner (Android package name “com.google.zxing.client.android”). By default, the Barcode Scanner app saves a history of all the barcodes the user has scanned (regardless of whether or not the scan was initiated by another app). This barcode history is stored in an unencrypted database in the Barcode Scanner app’s private data storage.
Delivered through a phishing campaign, a targeted piece of malware with a privilege escalation payload could easily copy this barcode history database and exfiltrate it to a remote system where a bad actor could analyze it for the presence of any CAC card scans and extract the sensitive PII. This type of attack could potentially exploit users with harmless intentions who just wanted to try the CAC Scan (or Barcode Scanner) app on their own CAC.
These types of threats highlight the need for a “defense-in-depth” approach when it comes to an organization’s mobility strategy. In addition to malware detection, a mobile security solution should include capabilities which allow an enterprise to define their own compliance policies (including app blacklists and approved behavior profiles) to protect their users from risky apps such as CAC Scan. Additionally, by leveraging an Enterprise Mobility Management (EMM) solution as a complement to a mobile security solution, enterprises can enjoy end-to-end detection of, response to, and mitigation of both malicious-and risky-apps in order to protect their users, their data, and their infrastructure.
For more information about how Lookout can help protect your organization from risky apps contact us.