Smartphone Security Faces Big Problem

Monday, February 27, 2012 @ 01:02 PM gHale

There is a vulnerability in smartphones that can take over the device, record its calls, pinpoint its location and access user texts and emails.

Dmitri Alperovitch, the former McAfee cyber security researcher best known for identifying a widespread China-based cyber espionage operation he dubbed “Shady Rat,” used a previously unknown hole in smartphone browsers to deliver an existing piece of China-based malware. He conducted the experiment on a phone running Google’s Android operating system, although he says Apple’s iPhones are equally vulnerable.

DDoS Tool Heads to Android
Mobile Malware Skyrocketing
Hackers Find Cell Phone Location
Apple Deals with App Privacy Issues

“It’s a much more powerful attack vector than just getting into someone’s computer,” said Alperovitch, who just formed a new security company, called CrowdStrike, with former McAfee chief technology officer George Kutz.

Alperovitch, who has consulted with the U.S. intelligence community, will demonstrate his findings Feb. 29 at the RSA conference in San Francisco, an annual cyber security gathering. The Shady Rat attack he disclosed last year targeted 72 government and corporate entities for as long as five years, siphoning off unknown volumes of confidential material to a server in China.

Alperovitch said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool emanating from China identified last year by anti-virus firms as a Trojan Horse. The malware looked like a Google+ app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users suffered a hit.

Alperovitch and his team reversed engineered the malware, he said, and took control of it. He then conducted an experiment in which malware went through a classic “spear phishing” attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited a zero-day vulnerability in smartphone browsers to secretly install the malware.

“The minute you go the site, it will download a real-life Chinese remote access tool to your phone,” he said. “The user will not see anything. Once the app is installed, we’ll be intercepting voice calls. The microphone activates the moment you start dialing.”

The malware also intercepts texts and emails and tracks the phone’s location, he said. In theory, it could infiltrate a corporate network with which the phone connects. There is no security software that would thwart it, he said.

As smartphone use has exploded, malware has not been as much of a problem as it has with laptops and desktops, Alperovitch said, because most people download applications through app stores regulated by Google and Apple. If cyber thieves and spies figure out a way to get malware on the devices by bypassing the app store — as Alperovitch demonstrated, it could cause huge problems.

“This really showcases that the current security model for smartphones is inadequate,” he said.

Leave a Reply

You must be logged in to post a comment.