Remote access tools a growing threat to smartphones
At RSA confab, researchers demonstrate tools that let hackers track smartphone users
Computerworld - SAN FRANCISCO -- Malware tools that allow attackers to gain complete remote control of smartphones have become a serious threat to users around the world, security researchers say.
In a demonstration at the RSA Conference 2012 here Wednesday, former McAfee executives George Kurtz and Dmitri Alperovitch, who recently founded security firm CrowdStrike, installed a remote access tool on an Android 2.2-powered smartphone by taking advantage of an unpatched flaw in WebKit, the default browser in the OS.
The researchers showed an overflow audience how the malware can be delivered on a smartphone via an innocuous looking SMS message and then be used to intercept and record phone conversations, capture video, steal text messages, track dialed numbers and pinpoint a user's physical location.
The tools used in the attack were obtained from easily available underground sources, Kurtz said. The WebKit bug, for instance, was one of 20 tools purchased from hackers for a collective $1,400.
The remote access Trojan used in the attack was a modified version of Nickispy a well-known Chinese malware tool.
Learning how to exploit the WebKit vulnerability and to modify the Trojan for the attack, was harder than expected, said Kurtz. He estimated that CrowdStrike spent about $14,000 in all to develop the attack.
But the key issue is that similar attacks are possible against any smartphone, not just those running Android, he said.
WebKit for instance, is widely used as a default browser in other mobile operating systems including Apple's iOS and the BlackBerry Tablet OS. WebKit is also is used in Apple's Safari and Google's Chrome browsers.
Given the kind of data that hackers will be able to steal from mobile devices, it's safe to assume that many are already looking for ways to "weaponize" vulnerabilities in WebKit to launch attacks on smartphones, the researchers noted.
Several mobile remote access Trojans are already openly available from companies pitching them as tools that can be used to surreptitiously keep tabs on others.
For example, many commercially available mobile Trojan programs are marketed to jealous or suspicious lovers, he said. And tricking mobile uses to install malware on their phones isn't difficult, he said.
In the demonstration for example, Kurtz and Alperovitch used an SMS message that appeared to come from the wireless service provider asking the user to install an important update. Clicking on the link the message caused the Trojan to be downloaded on the phone.
Just as happened with PCs, mobile Trojans are going to proliferate, Kurtz said.
Therefore, mobile users must start making sure they apply all patches for their smartphones, pay attention to what they download and be aware of mobile phishing attacks, he said.
"This is the dawn of a new era of mobile [remote access Trojans]," he said. They are the perfect tools to intercept calls, intercept text, emails, capture sensitive conversation and track locations."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!