Remote access tools a growing threat to smartphones
At RSA confab, researchers demonstrate tools that let hackers track smartphone users
Computerworld - SAN FRANCISCO -- Malware tools that allow attackers to gain complete remote control of smartphones have become a serious threat to users around the world, security researchers say.
In a demonstration at the RSA Conference 2012 here Wednesday, former McAfee executives George Kurtz and Dmitri Alperovitch, who recently founded security firm CrowdStrike, installed a remote access tool on an Android 2.2-powered smartphone by taking advantage of an unpatched flaw in WebKit, the default browser in the OS.
The researchers showed an overflow audience how the malware can be delivered on a smartphone via an innocuous looking SMS message and then be used to intercept and record phone conversations, capture video, steal text messages, track dialed numbers and pinpoint a user's physical location.
The tools used in the attack were obtained from easily available underground sources, Kurtz said. The WebKit bug, for instance, was one of 20 tools purchased from hackers for a collective $1,400.
The remote access Trojan used in the attack was a modified version of Nickispy a well-known Chinese malware tool.
Learning how to exploit the WebKit vulnerability and to modify the Trojan for the attack, was harder than expected, said Kurtz. He estimated that CrowdStrike spent about $14,000 in all to develop the attack.
But the key issue is that similar attacks are possible against any smartphone, not just those running Android, he said.
WebKit for instance, is widely used as a default browser in other mobile operating systems including Apple's iOS and the BlackBerry Tablet OS. WebKit is also is used in Apple's Safari and Google's Chrome browsers.
Given the kind of data that hackers will be able to steal from mobile devices, it's safe to assume that many are already looking for ways to "weaponize" vulnerabilities in WebKit to launch attacks on smartphones, the researchers noted.
Several mobile remote access Trojans are already openly available from companies pitching them as tools that can be used to surreptitiously keep tabs on others.
For example, many commercially available mobile Trojan programs are marketed to jealous or suspicious lovers, he said. And tricking mobile uses to install malware on their phones isn't difficult, he said.
In the demonstration for example, Kurtz and Alperovitch used an SMS message that appeared to come from the wireless service provider asking the user to install an important update. Clicking on the link the message caused the Trojan to be downloaded on the phone.
Just as happened with PCs, mobile Trojans are going to proliferate, Kurtz said.
Therefore, mobile users must start making sure they apply all patches for their smartphones, pay attention to what they download and be aware of mobile phishing attacks, he said.
"This is the dawn of a new era of mobile [remote access Trojans]," he said. They are the perfect tools to intercept calls, intercept text, emails, capture sensitive conversation and track locations."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts