'Unhackable' Android can be hacked, Black Hat researchers say
FBI details worst social networking cyber crime problemsNot only has malicious software cloaked in a wallpaper application stolen personal information from infected phones and sent it to a Web site in China, but researchers from Lookout Mobile Security have found a way to take the phones over completely - including top-of-the-line models hawked by major wireless carriers.
In one presentation, Lookout's CEO John Herring said the Jackeey Wallpaper app, which has been downloaded millions of times, can gather passwords, browser history, the subscriber ID and SIM card numbers and text messages.
In a separate presentation, researchers said top-of-the-line Android phones used by Sprint and Verizon can be taken over completely by attacking known flaws in the Linux operating system that underpins Android, researchers reported at Black Hat 2010. "It gives you root control, and you can do anything you want to do" with the phone, says Anthony Lineberry, a researcher for Lookout Mobile Security.
The company says Android's reputation for security may be exaggerated. "It survived the recent pwn2own slay fest unscathed, but this does not mean it is safe by any means," the company said in describing Lineberry's talk.
The best way to distribute malware that could exploit the flaw - known as CVE-2009 1185 - is via Android applications that customers might acquire free or buy from the Android Market. Installing the booby-trapped application would give root control of the device, Lineberry says. "Root is kind of God mode in the context of Linux. Once you have that, you have pretty much any system privilege."
CVE-2009 1185 has been known for more than a year and can be patched, but so far the carriers have not issued patches, Lineberry says. The root-control exploit has been successfully carried out in Lookout labs on EVO 4G (Sprint), Droid X (Verizon), and Droid Incredible (Verizon) as well as older models G1 and Hero, he says.
But root control is unnecessary in order to carry out the type of attack executed by Jackeey Wallpaper, according to another Lookout researcher, Tim Wyatt. Applications require permissions in order to access features of the phone, and these permissions can be exploited. So, for instance, an application that tells the customer the nearest Chinese restaurant would need access to the phones GPS capabilities.
When selling applications, developers must list all the permissions the application requires to work, and the customer must sign off on allowing those permissions. An application that sorts SMS messages but requires Internet access may seem suspicious, and customers might bail out of buying the application.
But some permissions sound innocuous, Wyatt says. Customers might not know what the permission "Import Android log" means, but approve an application that requires it because the name of the permission doesn't sound threatening. But the logs can reveal browsing histories, passwords, phone numbers and a wealth of other data, he says.
Malicious applications with Internet permissions can be crafted to send the data in the background or display innocuous Web sites to mask where the data is being sent, Wyatt says.
The best course for users is to beware the applications they buy and if they are suspicious, not to download the apps, Lineberry says.
Lookout has carried out a study it calls the App Genome project that examined Android and iPhone applications for what permissions they have and what malicious activity they might carry out with the set of permissions they have. An application might use the permissions legitimately, but in the hands of a hacker could cause mischief, the company says.
Part of the permission system in Android allows applications to tap each other's resources, so an application without permission to access the Internet might have access to an application that does and so use the Internet anyway, the researchers say.
Read more about wide area network in Network World's Wide Area Network section.
- Secretive group seeks recruits at Defcon, finds skepticism
- Hacker snoops on GSM cell phones in demo
- Free Android apps scrape personal data, send it to China
- U.S. should seek world cooperation on cyber conflict, says ex-CIA director
- 'Unhackable' Android can be hacked, Black Hat researchers say
- Update: ATM hack gives cash on demand
- BitBlaze tool boosts bug-hunting productivity 10-fold
- Apple patches Safari ahead of Black Hat talk, launches add-on gallery
- Black Hat: Most browsers can be made to give up personal data
- AT&T: We don't intend to stop Black Hat demo
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!