A chilling demonstration to a small, packed room at the RSA security conference today showed how clicking a single bad Web link while using a phone running Google’s Android operating system could give an attacker full remote control of your phone. Once George Kurtz and colleagues from security startup CrowdStrike were done, they could record phone calls, intercept text messages, and track the hacked phone’s location at all times.
“What is ubiquitous, has a camera, a microphone, knows where you are at all times, is always on, and stores your sensitive information?” asked Kurtz. “The smart phone is the ultimate spying tool.”
Smart phones have been hacked before, but Kurtz said this was the first public demonstration of an end-to-end system able to wrest control of one remotely with just a single click on a Web link.
Targeted attacks, designed to steal intellectual property or valuable information from corporations and their executives, have become relatively common in recent years. For some time, security experts have warned that mobile devices offer a way that such attacks could become more pervasive and effective, and today’s demo lends weight to that case.
Kurtz and colleagues played out a scenario on stage that involved hacking a real, unmodified Android phone. Kurtz, playing the role of a busy investor at an industry event, received a text message claiming to be from his mobile carrier asking him to download an update to his phone’s software. When he clicked the link in that message, the phone’s browser crashed and the device rebooted. Once restarted, the device appeared unchanged, but a silent, malicious app had been installed that relayed all his phone calls and text messages to the attacker, who could also track his location on a map.
The attack was staged on a device running the 2.2 version of Google’s Android operating system, also known as Frozen Yogurt, but it made use of bugs in a component of Android’s browser that are also present in the more recent 2.3, or Gingerbread, version. Those two versions of Android account for almost 90 percent of Android devices in use today, said Kurtz. More significantly, WebKit, the browser component that was exploited, is also at the core of the Web browsers found in Apple’s iPhone and iPad devices, BlackBerry phones, and Google’s TV devices.