Were Sky’s Android apps *really* hacked and replaced by the Syrian Electronic Army?

It appears that the notorious Syrian Electronic Army hacking group have claimed yet another scalp.

The news broke after Sky’s official support account (@SkyHelpTeam) tweeted a series of messages telling users to uninstall the Android versions of their Sky News and Sky+ apps.

Sky tweet

Furthermore, the group shared screenshots with journalists of what appeared to be the Google Play developer account for Sky’s apps, complete with the logo of the Syrian Electronic Army and the message “Syrian Electronic Army was here”.

Syrian Electronic Army was here

I’m not saying that a hack didn’t occur, but I would urge people to be a little cautious (considering the SEA’s habit of hacking the Twitter accounts of media organisations) about trusting the messages sent out via @SkyHelpTeam.

Notice, for instance, that the tweets from @SkyHelpTeam have been sent via Twitter.com’s web user interface, whereas the account normally supports users via “Lithium Social Web”.

Comparison of tweets

Furthermore, there is no official mention that I could find about the Android app problem on Sky’s Help Forum.

It seems strange that Sky’s support team would tweet a warning to users about their apps, but provide no link to where further information will be provided.

And let’s take a closer look at the wording of that warning:

“please remove the apps if you are already installed it

Was that written by someone who isn’t a native English speaker?

I’m not saying that Sky didn’t have its Google Play account hacked, or that the entries for its Android apps were not defaced. At the time of writing, many Sky Android apps are unavailable to access via Google Play which indicates that something unusual has happened. Frustratingly, that also means that they cannot be downloaded to check for signs of malware or tampering.

But we should retain a healthy skepticism about implicitly trusting warnings that have only been shared via Twitter, especially when the reported attack relates to a group with a history of hacking the Twitter accounts of media organisations.

Sky, if you were hacked, please post an official statement and a link to an advisory telling users of your Android apps what they should do on your support forum.

Meanwhile, users might be wise to uninstall the questionable Android apps until clearer official guidance is available from Sky.

Update: Looks like my hunch was right. CNET UK is quoting a Sky spokesperson who has confirmed that its Twitter account was hacked.

“The Sky Help Team’s Twitter account has been compromised, and the tweet that states customers should uninstall their apps is not guidance from Sky. We are currently investigating the situation. We will provide a further update when we have more information.”

It’s just a shame that Sky has taken over 12 hours to say this…

Update 2: More details can be read in this report from Pocket Lint.

I think it’s worth saying again: Stop trusting warnings that have only been shared via Twitter, especially when the reported attack relates to a group with a history of hacking the Twitter accounts of media organisations.

Tags: , , , ,


, , , ,

18 Responses

  1. Paul May 26, 2013 at 9:57 am #

    Graham, Sky looks like it's try to cover this up as post's asking about the hack on Sky FaceBook page are being deleted, nothing on sky news website or sky home page, emailed sky news asking why nothing on there only to be told £Sorry we don't know what you are talking about" lol, So it's Sky being Sky and sticking their heads in the sand.

  2. Hahaha48 May 26, 2013 at 12:32 pm #

    Yes the apps were defintely hacked, app description on Google Play was "Syrian Electronic Army was here" and ther was an update on 2013/5/25

    • Graham Cluley
      Graham Cluley May 26, 2013 at 2:17 pm #

      An app description changing on Google Play suggests that Sky's Google Play account was compromised.

      It does not, in itself, suggest that the apps themselves were tampered with and reuploaded.

      Unfortunately the relevant Google Play pages have now been removed – presumably while Sky tries to get a handle on the situation.

  3. Allan May 26, 2013 at 12:56 pm #

    I work for sky and this is pretty typical. Every one running around like headless chickens and the public know nothing. Same thingwith the email fiasco

    • Graham Cluley
      Graham Cluley May 26, 2013 at 2:15 pm #

      "Colin was here"

      http://grahamcluley.com/2013/05/colin-was-here-sky-news-having-some-trouble-with-its-twitter-account/

    • liz727 May 26, 2013 at 8:44 pm #

      Aha! Allan, I'm glad you said that, has that bloody email thing been sorted out yet? You're right, utter fiasco, what were Sky thinking switching to Yahoo-virus-ridden-mail of all things? I don't trust it now, never will again. Not at all getting at you – must have been as much a nightmare for staff as for clients – just it was SO bad, I'm still venting! All my best.

  4. Ben May 26, 2013 at 1:07 pm #

    Sky was definitely hacked, take a look at the apps linked their tweets, the first actually links to a page where you can install their Sky News app (even though this is hidden in the Play Store). While it is possible their Sky Help twitter was also hacked, this was probably just to attract more attention about their app's which have been hacked.

    Now as a security researcher, if you could download this app: https://play.google.com/store/apps/details?id=com.bskyb.skynews.android&hl=en
    and research if any changes have been made or if there are any viruses in it, that would be great :)

  5. David Ace May 26, 2013 at 1:28 pm #

    The evidence it is real is on the Play Store, so ironically it's this article that cannot be trusted.

    • Graham Cluley
      Graham Cluley May 26, 2013 at 2:09 pm #

      Sky hasn’t posted any updates to its support Twitter account since the wee small hours of the morning.

      Seems strange doesn’t it? Maybe they don’t have control of that account…

      Has anyone managed to get hold of an allegedly hacked Android app from Sky? Or are they just assuming the apps were hacked and replaced because Sky’s Twitter account said they were. I’m not saying that Sky’s Google Play account wasn’t hijacked, and that entries may have been defaced, but that’s somewhat different from apps being hacked.

      Indeed, Sky doesn’t seem to have confirmed that the apps were hacked either.

      On Facebook, Sky support staff are saying:

      “Sky Android apps are not currently available for download from Google Play. We are working to restore them. Further updates to follow.”

      They’re right – the apps are unavailable. But note no confirmation that they were hacked and replaced with dodgy versions by the Syrian Electronic Army.

      The truth is, no-one is sure at the moment. That’s why it’s wisest not to use Sky’s Android apps until we hear a proper confirmation of what has happened from the company.

  6. stewgreen May 26, 2013 at 6:18 pm #

    - I tend to believe Graham Cluley is exactly right and the rest of the Idiot twittersphere who don't check facts before inciting panic by tweeting an instruction to remove apps , before any PROPER confirmation from Sky (except for the hacked twitter account)
    – If you look you see that since Saturday night tSky have been using a new twitter account
    @SkyHelpTeam1
    – But Sky are real idiots for issuing any info at all up to now

  7. alex May 26, 2013 at 7:18 pm #

    If the apps were hacked and replaced, the source code would have had to have been changed, the permissions required to be authorised by the end-user are likely to have been changed, and the end-user would have had to approved a upgrade saying something like "read emails", "read text messages" (or whatever).

    I would think it would have been obvious

  8. Callum May 26, 2013 at 8:49 pm #

    I am starting to wonder.

    Saw on CNET that the twitter has been confirmed as hacked by Sky spokesperson.

    Also seems to be the case that the APK files weren't modified.

    With the twitter account being hacked, there seems to be lacking the usual messages from SEA.

    I wonder if twitter have changed policy to block all posts from a compromised account or introduced suspicious activity policy?

    • Graham Cluley
      Graham Cluley May 26, 2013 at 9:23 pm #

      Thanks – I've added a link to the CNET article at the bottom of my post.

      Seems my hunch was right.

  9. stewgreen May 27, 2013 at 9:12 am #

    I was unbelievable Graham Cluley BEAT 95% of the Twitterphere(and REAL news orgs like ITV)
    – Some one posted on our BBC Click Radio FB Group – so I checked and found Sky and GooglePlay had no news about the event STRANGE .. A couple of Google minutes and I was your article
    – "yep what this guy is saying makes much more sense"
    I tested – "not hacked" sky – on Googled Googled News etc nothing except 1 other person on Twitter saying an App Hack was V UNLIKELY.. but I still thought you were right
    WELL DONE Graham

    • Graham Cluley
      Graham Cluley May 27, 2013 at 9:43 am #

      Thanks Stew.

      Hopefully some media outlets will recognise they screwed up over this story, learned their lesson, and will be more careful in future.

      Everyone should be careful about believing (and sharing!) news about the Syrian Electronic Army when the only source is Twitter.

  10. stewgreen May 27, 2013 at 9:45 am #

    G says :"Stop trusting Twitter warnings .."
    I say : Stop being dumb & believing ANYTHING without evidence
    – & the rule is : Extraordinary claims * need Extraordinary proof
    – (& it's disgraceful the way news media have left the news stories up on the web with hyping headlines ..and just put a little note at the bottom with the correction )

  11. djh May 28, 2013 at 12:49 pm #

    With a robust applications security policy Sky would not have been vulnerable to this type of attack!

    http://webdiary.com/2013/05/28/appsecurity/

Leave a Reply