US Army Warns Against Usage of Mysterious CAC Scan Android App

Exterminator

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
On May 25, the US Department of Defense (DoD) issued a public advisory to its personnel, warning against the usage of the CAC Scan Android app, available at that time on the Google Play Store.

CAC stands for Common Access Card and describes the standard ID card for all DoD military and civilian personnel, selected reserves, and some contractors.

The CAC Scan app, as advertised on its Google Play Store description, is a simple app that scans the barcode found on these cards and outputs the encoded information on the phone's screen.

This includes the cardholder's first and last name, rank, EDIPI ID, and Social Security number.

The app works and contains no malicious code... but...
The DoD says the app works as advertised and that it was created by a US citizen with ties to the US Army. The DoD also warns:
When you scan your (or someone else’s) CAC, where else does the data go; i.e., who else gets a copy of the results? Why would you need this app? You already know your personal info on your CAC… who’s info are you trying to obtain and why?

Security firm Lookout says they analyzed the app but didn't find any malicious behavior inside its code. The app was quite simplistic, but despite not containing any covert code, they said that they identified a potential attack vector.

Exposure to collusion attacks
When users want to scan a CAC code, CAC Scan loads a third-party app that's installed as a separate application on the user's smartphone. The app, called Barcode Scanner, is a very popular app and has been vetted by multiple security firms as clean.

Lookout identified that Barcode Scanner keeps a history of all the barcodes it scans. A potential attacker that queries for the list of installed apps and finds CAC Scan would automatically know it can search through Barcode Scanner's history to uncover data on CAC cards. This is a classic app collusion attack scenario

While the DoD was only warning against the app because of potential privacy issues, Lookout has managed to identify attack scenarios through which the app could lead to a compromise of US military personnel data.

The app is not available on the Google Play Store anymore, but it's unknown if it was Google or the developer that took it down.
Click to expand...
 
  • Like
Reactions: DardiM, Jrs30, Rishi and 1 other person
You must log in or register to reply here.

Similar threads

lokamoka820
    • Like
New Update Google must crack open Android for third-party stores, rules Epic judge
Replies
1
Views
181
Android & WearOS
Bot
Bot
Ashish1+1
    • Like
Technology Android apps can now block sideloading and force downloads through Google Play Store
Replies
4
Views
379
Technology News
Marko :)
Marko :)
F
    • Like
    • Wow
    • Sad
Security News After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud
Replies
1
Views
1,536
Security News
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top