National Lottery fails to set a good security example to Android users

UK National Lottery
It's a huge weekend for the UK's National Lottery - with a jackpot of almost £60 million up for grabs in what's set to be the biggest payout since the Lotto began 21 years ago.

Chances are that many people will be buying tickets, and many of them may be tempted to install a National Lottery smartphone app.

National Lottery appWell, wait just a second... because James Maude, a security researcher at Avecto, has been in touch with me raising some concerns about the National Lottery's official Android app. Not because he has found any vulnerabilities and privacy concerns in its code, but rather because of the way in which the National Lottery are distributing it.

You see, the official Android Google Play store doesn't allow gambling and lottery apps that offer real cash prizes, so the National Lottery can't get into the official app store.

Instead, in order to play the National Lottery on your Android you need to make a change to your smartphone's settings - allowing apps to be installed from unknown sources.

And nowhere in its installation walkthrough does the National Lottery warn of the risks associated with installing apps from outside the Google Play store.

Lottery android app instructions

That certainly does seem like an unfortunate omission.

But, James argues, the plot thickens when you consider how the National Lottery is telling desktop users to download the app onto their Android mobile phone, by scanning a QR code.

Qr code

James takes up the story:

The QR code contains a 3rd party url (http://q-r.to/baavbx) powered by www.qr-code-generator.com. This then sends the mobile device back to the Lottery site triggering the APK file to be downloaded from an AWS instance.

As I see it there are a few issues here:

  • This is an app that expects to receive users' personal and financial information.
  • The National Lottery does not warn users about the dangers of enabling side loading apps, the most common attack vector on Android.
  • The redirect is external and uses http - so it doesn't authenticate so a malicious hacker could use a man-in-the-middle attack to swap out the app for something nasty.
  • The National Lottery is telling users to disable part of Android's built-in security and trust an APK based on a name.
  • They are relying on a third-party not being compromised, or the lottery's user account with the QR code generator site not being abused.

Aside from the concerns about the QR code and its third-party redirect, I would never recommend that a typical Android user turns off a key part of Android's defence against malicious apps.

In a nutshell, The National Lottery expects you to lower your Android phone's security if you want to buy Lotto tickets with its app. Is that a gamble you really want to take?

If you really want to be in with a chance of winning a fortune in the National Lottery, you might be wiser visiting their website via a regular web browser (use a VPN if you are worried that your internet traffic may not be properly secured, and run an up-to-date anti-virus to reduce the threat of spyware snooping upon your activities).

Recent news of more malware being found in the Android Google Play store shouldn't weaken the truth that confining yourself to apps from the official store is still a lot safer than allowing apps from any old website to run on your Android smartphone.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

7 Responses

  1. Alan Robertson

    January 8, 2016 at 7:19 pm #

    Hello Graham, good article but it really depends on the way you use Android. If you don't know what you are doing then just stick to Google Play but if you are a little more tech savvy then side loading apps can be particularly useful. F-Droid has useful apps which they compile themselves and I mostly trust them (as much as Google Play). If Android removed the ability to side load then you would effectively end up with Apple's app store approach, which let's face it, still had malware within some of the apps. Worse still, as it is all locked down it makes checking for unwanted code harder to do (Volkswagen emissions test anyone? Oh wait, the EULA says no reverse engineering…)

    Apps such as Adblock plus isn't available on Google Play but it works really well and is available at F-Droid. Similarly anything from the Guardian project can be reasonably trusted – Chat Secure, Orbot, Note Cipher etc. Would you prefer to download these from them or from Google Play where they could have been "modified" by various security services? Personally I would prefer the original source with a hashed checksum.

    Lastly a decent firewall can prevent app chatter over your wifi / phone operator network. I mean do you really want Androids keyboard function or the clock or calculator having access to the internet? They don't need access and if you apply this same common sense approach about other apps on the phone / tablet then you can minimise security risks. It not only reduces risk but also saves in unnecessary data usage on your phone which saves you money.

    However, in the case of the National Lottery, financial details, QR codes, redirects etc. Absolutely No Way! Just use your brain and a healthy dose of skepticism. What would happen if….

    • Jennifer King in reply to Alan Robertson.

      February 6, 2016 at 2:16 am #

      I just got a message asking me why I haven't claimed my $500,000.00 lottery money from the "SMARTPHONE LOTTERY.. . He gave me a REF# , BATCH# , and a GRANT#…. HE SAID I WAS ONE OF THE 10 LUCKY WINNERS FROM THE SMARTPHONE TECHNOLOGY LOTTERY PROMO. IS THIS A SCAM R WHAT. CAN ANYONE TELL ME?????

  2. Bob

    January 8, 2016 at 9:37 pm #

    I'm not sure I understand the advice: "use a VPN if you are worried that your internet traffic may not be properly secured".

    I appreciate the benefits of a VPN but, if you're concerned over the security of your traffic, then surely the ISP (or the party you have concerns over) can just MITM the VPN before it ever connects and you'd be non the wiser.

    VPN's have a very limited application and I don't think it's suited to this scenario.

  3. Jamie

    January 9, 2016 at 10:49 am #

    The 3rd party app process is a common security feature, windows invokes the uac while os X has its gatekeeper which you have to bypass to run other apps. Amazon needs you to do the same to install apps to an Android device, you just re-enable the security after installing the app you want to install. Also install actual security for your device to scan packages before installation.

    • coyote in reply to Jamie.

      January 10, 2016 at 7:46 pm #

      I'm afraid it isn't that simple and you're mistaken.

      It is of course a feature but they are ignoring all safe computing practises and even worse (much worse!) is they are *encouraging* it and making it seem as if it's a good idea (and it isn't!)! Sort of like Fiat Chrysler encouraging people to (quite stupidly) use USB sticks sent in the post.

      By the way, I seem to recall that Microsoft eventually told the truth about UAC – that it isn't about security; and indeed, the way it went about its methods, it actually had the chance to *weaken* security because it became the same old thing, and just like licenses and similar, they aren't read – even if you have to scroll to the bottom most don't read it (and in these cases it is legalese which isn't exactly a coherent language by design). I can't recall the term, but it is basically where you click OK (or whatever) repeatedly without looking or even caring about the message. That isn't security; that is *insecurity* and it is *exactly* what the UAC did/does/etc.

      Privilege separation, on the other hand, is a good idea but it isn't as fine-grained in Windows as it is in e.g. Unix (or any of its derivatives).

      Also, you do realise that Gatekeeper was bypassed, right ? Graham reported on this a while back … believe it was last year, on intego.com .. ah, actually it was indeed last year: https://www.intego.com/mac-security-blog/researcher-demonstrates-how-malware-can-bypass-os-xs-completely-broken-gatekeeper/

  4. David L

    January 11, 2016 at 12:02 pm #

    My biggest concern would be, that because the app is only available from outside sources, people could easily be lead to fake website's and the app compromised in numerous ways. These days,the bad guys are repackaging apps that even root Android devices that then can withstand a factory reset to persist. Then,they completely own said devices.
    I'm not sure if there is a way to implement the lottery app that removes all the potential problems. Perhaps making people go to a lotto outlet to get the download from an authorized dealer would act like an app store without the internet vulnerabilities?

  5. Aaron

    February 14, 2017 at 8:59 pm #

    Installing "The National Lottery" app from 'allegedly' Google Play has managed to render my phone un-bootable. This happened after I gave it no permissions to continue. A really nasty piece of programming. Thanks Camelot NOT!

Leave a Reply