DroidSheep'; an Android application that allows you to impersonate identities on Facebook or Twitter

'DroidSheep' is a free application for jailbroken (rooted) Android smartphones, which is currently freely downloadable on the web and allows users to intercept passwords from well-known sites, such as Facebook or Twitter. Its developer assures that the intention of the application is not to allow identity theft but to bring out the weak points of the main web services.

If we use our smartphone, or even our laptop, to access services such as Facebook, Twitter or Google, the user who has 'DroidSheeo' installed and is intercepting network communications, will be able to access, supplanting our identity, any of these social networks or Web services.

According to Communication Director of Ontinet.com (exclusive distributor for Spain of ESET security solutions), Josep Albors, "the problem with this type of application is that it is transparent to the end user, who in most cases will be affected without realizing it". In this way, the problem is not only the theft of passwords, "but that in our name they can use social networks by supplanting our identity".

Despite the possibilities of 'DroidSheep', its developer assures on the application's web page that "it is not made to steal identities" but rather to give a warning, since "it will show the weak points of the security of big websites like Facebook. "Please, always be careful what you do", warns the creator of the 'app' before assuring that "it is not responsible for any damage that may be caused by the use of this application".

These types of applications are not new (last November Ontinet.com denounced Firesheep, designed for the same purpose, but as a Firefox extension). However, the main novelty is the platform for which it has been developed, as well as the focus on password theft that its developers adopt.

"The problem lies not so much in the existence of this application, since it only simplifies what others have already been doing, but rather in the insecurity that most services show by default through the web, which we use on a daily basis, by not request some type of encryption when connecting," adds Albors.

From the Ontinet.com laboratory, ESET's exclusive distributor for Spain, the need to take extreme precautions when connecting to unreliable Wi-Fi networks and to always try to use networks, sites or web services with security is insisted on. SSL, as well as having security solutions on connected devices.

The number of threats to Android devices is on the rise. Proof of this is the appearance of this new application for unlocked or rooted Android smartphones, which can currently be downloaded freely on the Internet, and which allows users to steal passwords from sites such as Facebook, Twitter or Google.

According to ESET, the user who has DroidSheep installed and is intercepting network communications from a third party who is using their smartphone or laptop to access known websites, will have visibility of all their passwords and will be able to access, impersonating their identity, any of these social networks or web services. As Josep Albors, director of communication at Ontinet.com, says, "the problem is not only the theft of passwords, but also that they can use social networks on our behalf, supplanting our identity."

These types of applications, which are transparent to the end user, so that in most cases they will be affected without realizing it, are not new, since a similar application called Firesheep emerged as a Firefox extension last year. What is new is that it has been developed for Android and with password theft as its objective, which for Albors reveals "the insecurity that most web services demonstrate by default, which we use on a daily basis, by not requesting some kind of encryption when connecting”.

To avoid being victims of applications such as DroidSheep, Ontinet.com insists on the need to take extreme precautions when connecting to WiFi networks and to always try to use networks, sites or web services with SSL security, as well as to have security solutions on connected devices.