Figure 1. File name of images before and after the “hide” function is performed The application creates a file located in sdcard/.hermit/.hermit_restore.hider as an index. These files are found in the SD card and these files are world-readable, meaning, they are readable by any application in the system. In fact, these “hidden” files can be browsed using a file explorer. Malicious apps and users could also use /.hermit_restore.hider as a clue to find and read the so-called hidden files.
Figure 2. Contents of ".hermit_restore.hider"Hidden Files in a Readable Database File Locker “hides” a user’s files by moving them to the fixed folder /sdcard/ .MySecurityData/dont_remove/. Unfortunately, the location of the hidden files and the original files are stored in a SQLite3 database. Both the database and the hidden files are located in the SD card and they are world-readable. “Secure” Wallet for Banking Information Folder Lock, meanwhile, tries to distinguish itself from other applications by offering a secured “wallet” for information such as credit card numbers, passwords, and other banking/business-related information. Analysis shows that rather than be encrypted, the data in the “wallet” is stored in cleartext in a world-readable path. Other “hidden” files are stored in fixed path folders without any encryption.
Figure 3. Sample data in the “wallet” function
Figure 4. Sample data is stored in cleartextEncryption Without Protection The app App Lock we analyzed actually does what it advertises—it encrypts files. But does this mean a user’s files are safe? As it turns out, they aren’t. The application encrypts files using a fixed, self-defined algorithm. Unfortunately, cybercriminals can easily implement the decryption algorithm by decompiling the .APK file. This means that there really is no difference between the data that is encrypted and data stored in cleartext.
Figure 5. Files are locked with the sample password "123"
Figure 6. The decrypted locked files with the password displayed
It's worth noting that the use of passwords is pretty moot for this app. The set password is simply encrypted and saved in the last block of each encrypted files. In short, the password is treated as just another file to be stored. Once the files are decrypted, both the files and the passwords are revealed.Ideally, the password would prevent other people from accessing the files, even if they know the decryption process.Protecting Your Data Of course, the initial issue here is the fact that these apps don’t work as they claim. However, the bigger issue is that files are potentially at risk for data theft or leakage. One common detail we’ve noticed with these apps is that the data can be accessed by other apps and accounts. This means that even non-malicious apps can access these files. The issue is further compounded by the fact that these apps are very popular. One app alone has reached the 50 million download mark while others have also reached millions of downloads. Users must be discerning when downloading apps. App reviews can help a person check if an app truly works as its claims. For apps concerning security, it's best to download apps from known security vendors. But more than selecting the right apps, perhaps another way of securing data is to remember that apps are not the end-all, be-all solution to protecting your privacy. Users should employ other privacy features and solutions to protect their data from prying eyes. For example, they could store their files and make back-up copies in a different, secure location via Trend Micro™ Safe Sync™. Another way to protect sensitive data is to actually limit the amount of data stored in mobile devices. Given the amount and variety of activities performed on mobile devices, it seems unavoidable to store some form of sensitive data. However, keeping the amount of stored data to the barest minimum will make it easier for users to keep track of it. After all, it's easier to keep track of data stored in five apps than say, twenty apps. Less data could mean fewer privacy problems.