At SB Hacks last weekend, we built Take Charge, a device that could be disguised as a standard USB charger, but secretly hides a way to install a data-mining application on unsuspecting users’ phones.
We do this by taking advantage of the implicit trust that a user has in an innocent-looking phone charger and the trust that Android blindly gives to USB input devices. Take Charge emulates a normal USB keyboard, that is programmed to rapidly navigate through the Android settings menus to enable debugging and allow unknown sources, and then download our payload apk onto the device and install it on behalf of the user, granting an alarming number of permissions in a matter of seconds.
We use our emulated keyboard to unlock the device (doesn’t work if the user has a passcode, but things like Smart Unlock would still allow us to unlock the phone) after first waiting a few seconds so that the user isn’t looking at their phone to see what’s about to happen. We take advantage of the fact that the stock Android launcher allows you to run a search query by just typing text anywhere on the homescreen, so we search for “Settings”, and open the Settings app, enable unknown sources, then go download our data-mining APK from the internet, and install it using our full keyboard access. Then we go back to Settings and give Take Charge full access to notifications, so we can monitor all notifications that the user receives and upload them to our web dashboard in the background.
We achieved this by using an Arduino Uno that is acting as a USB HID device by flashing an alternative firmware on the microcontroller that controls the Uno’s USB port as described here.
Our web interface + Arduino code is available on GitHub.
Disclaimer: Take Charge is a proof of concept of a payload delivery system and a reminder to users to be more security conscious - Take Charge was never intended to be exploited.