How a Web Link Can Take Control of Your Phone

A chilling demonstration to a small, packed room at the RSA security conference today showed how clicking a single bad Web link while using a phone running Google’s Android operating system could give an attacker full remote control of your phone. Once George Kurtz and colleagues from security startup CrowdStrike were done, they could record phone calls, intercept text messages, and track the hacked phone’s location at all times.

“What is ubiquitous, has a camera, a microphone, knows where you are at all times, is always on, and stores your sensitive information?” asked Kurtz. “The smart phone is the ultimate spying tool.”

Smart phones have been hacked before, but Kurtz said this was the first public demonstration of an end-to-end system able to wrest control of one remotely with just a single click on a Web link.

Targeted attacks, designed to steal intellectual property or valuable information from corporations and their executives, have become relatively common in recent years. For some time, security experts have warned that mobile devices offer a way that such attacks could become more pervasive and effective, and today’s demo lends weight to that case.

Kurtz and colleagues played out a scenario on stage that involved hacking a real, unmodified Android phone. Kurtz, playing the role of a busy investor at an industry event, received a text message claiming to be from his mobile carrier asking him to download an update to his phone’s software. When he clicked the link in that message, the phone’s browser crashed and the device rebooted. Once restarted, the device appeared unchanged, but a silent, malicious app had been installed that relayed all his phone calls and text messages to the attacker, who could also track his location on a map.

The attack was staged on a device running the 2.2 version of Google’s Android operating system, also known as Frozen Yogurt, but it made use of bugs in a component of Android’s browser that are also present in the more recent 2.3, or Gingerbread, version. Those two versions of Android account for almost 90 percent of Android devices in use today, said Kurtz. More significantly, WebKit, the browser component that was exploited, is also at the core of the Web browsers found in Apple’s iPhone and iPad devices, BlackBerry phones, and Google’s TV devices.

The attackers spent $1,400 on the black market for the details of 14 known, but not patched, bugs in WebKit. They then devised a way to use them to gain full “root” access to a device and built a complete system that would use those powers to install a remote access tool, or RAT, app that they had seized from China-based hackers.

“Nation states like Russia and China are active in developing RATs, and if we can do [this] in a few weeks, they certainly can as well,” said Dmitri Alperovitch, CrowdStrike’s chief technology officer. The RAT in the demo was a conventional app with elevated privileges that could potentially be detected by security apps available for Android, he said, but given more time, it would be possible to use the same methodology to install very hard-to-detect “rootkit” software invisible to such tools.

Kurtz tried to end on something of a positive note, saying, “the sky’s not falling. These are very targeted attacks.”

Preventing attacks like the one demonstrated on stage requires more frequent updates to mobile operating systems, said Kurtz. However, doing that is far from easy, because wireless carriers, device manufacturers, and mobile operating system providers must all be involved. As a consequence, most mobile devices today receive updates very rarely.