Though malware is not yet common on mobile phones,
experts are taking a hard look at how it could appear down the road, hoping to
find solutions before real attacks emerge.
Researchers from Rutgers University recently identified a
series of possible attacks on smart phones, including one that would grant the
attacker the ability to eavesdrop on a user. They will present these proof-of-concept
attacks tomorrow at HotMobile 2010, a conference taking place in Annapolis, MD.
Advertisement
The researchers didn’t exploit any vulnerabilities to get
it onto the phone–instead, they pre-installed a rootkit. This is a piece of
software that buries itself deep in a device’s operating system, where it can
take control of most of the software running on the machine. Though there are some
legitimate uses for rootkits, for the most part they’re a particularly nasty
type of malware.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
The researchers demonstrate their system on the NeoFreeRunner
phone, running the open-source software stack OpenMoko. Their
attacks used malicious text messages to give instructions to the rootkit.
Because the rootkit is able to control so much of the phone’s software, it
could hide the text messages from the legitimate user and carry out
instructions without interference.
In one attack, the researchers instructed the phone to call a specified number,
which might allow them to use the smart phone to listen in on a confidential
meeting attended by the legitimate user. They were also able to instruct the
phone to report its location to the attacker, and to drain its battery by
turning on energy-hogging features without the user’s knowledge.
The Rutgers researchers believe that smart phones will soon
need to have tools for detecting rootkits and other malicious software. This
could be a challenge, they say, because the algorithms used to search for such
software use a lot of processing power and would reduce battery life. So they
propose offloading that processing to the service provider, following the model
of cloud-based antivirus that has been gaining traction
on desktop computers.