In 2016, Man in the Contacts attack was published (MitC,
https://www.securingapps.com/blog/ManInTheContacts_CYBSEC16.pdf) which consists in taking control of a smartphone's contacts with a legitimate application, then altering contact data to either
- impersonate a specific contact
- attempt to intercept communications by relaying messages through an additional device.
Despite sandboxing on most mobile platforms, contacts are shared between all applications and can be modified by any of them with sufficient permissions.
Building up from what was presented, we built and deployed a fully functional implementation.
Packaged within a game published on Google's Play Store without any validation issues, our MitC implementation allows us to fully control the contacts of the users by listening to our Command and Control server.
Since most modern messaging applications implicitly trust contact data, our implementation becomes a very efficient spear phishing weapon: user receives a message from someone he (thinks he) knows within an end to end encrypted (E2E) channel, so he is really confident. E2E also blinds messaging servers, not able to do anymore content filtering, making it easy to transfer malicious links.
Presentation Outline:
* Wrap up of Man In The Contacts attack
* Feedback from WhatsApp, Telegram and Signal: won't fix
* Implementing Man In The Contacts in practice
- Android game: social version of Rock, Paper, Scissors
- Command And Control server
- Web interface
* The spear phishing use case
* Live demonstration with volunteers from the audience
* Open sourcing the tool
* Possible mitigations
