SAN FRANCISCO -- Malware tools that allow attackers to gain complete remote control of smartphones have become a serious threat to users around the world, security researchers say.
In a demonstration at the RSA Conference 2012 here Wednesday, former McAfee executives George Kurtz and Dmitri Alperovitch, who recently founded security firm CrowdStrike, installed a remote access tool on an Android 2.2-powered smartphone by taking advantage of an unpatched flaw in WebKit, the default browser in the OS.
The researchers showed an overflow audience how the malware can be delivered on a smartphone via an innocuous looking SMS message and then be used to intercept and record phone conversations, capture video, steal text messages, track dialed numbers and pinpoint a user's physical location.
The tools used in the attack were obtained from easily available underground sources, Kurtz said. The WebKit bug, for instance, was one of 20 tools purchased from hackers for a collective $1,400.
The remote access Trojan used in the attack was a modified version of Nickispy a well-known Chinese malware tool.
Learning how to exploit the WebKit vulnerability and to modify the Trojan for the attack, was harder than expected, said Kurtz. He estimated that CrowdStrike spent about $14,000 in all to develop the attack.
But the key issue is that similar attacks are possible against any smartphone, not just those running Android, he said.
WebKit for instance, is widely used as a default browser in other mobile operating systems including Apple's iOS and the BlackBerry Tablet OS. WebKit is also is used in Apple's Safari and Google's Chrome browsers.
Given the kind of data that hackers will be able to steal from mobile devices, it's safe to assume that many are already looking for ways to "weaponize" vulnerabilities in WebKit to launch attacks on smartphones, the researchers noted.
Several mobile remote access Trojans are already openly available from companies pitching them as tools that can be used to surreptitiously keep tabs on others.
For example, many commercially available mobile Trojan programs are marketed to jealous or suspicious lovers, he said. And tricking mobile uses to install malware on their phones isn't difficult, he said.
In the demonstration for example, Kurtz and Alperovitch used an SMS message that appeared to come from the wireless service provider asking the user to install an important update. Clicking on the link the message caused the Trojan to be downloaded on the phone.
Just as happened with PCs, mobile Trojans are going to proliferate, Kurtz said.
Therefore, mobile users must start making sure they apply all patches for their smartphones, pay attention to what they download and be aware of mobile phishing attacks, he said.
"This is the dawn of a new era of mobile [remote access Trojans]," he said. They are the perfect tools to intercept calls, intercept text, emails, capture sensitive conversation and track locations."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.