Skip to Content

A chilling demonstration to a small, packed room at the RSA security conference today showed how clicking a single bad Web link while using a phone running Google’s Android operating system could give an attacker full remote control of your phone. Once George Kurtz and colleagues from security startup CrowdStrike were done, they could record phone calls, intercept text messages, and track the hacked phone’s location at all times.

“What is ubiquitous, has a camera, a microphone, knows where you are at all times, is always on, and stores your sensitive information?” asked Kurtz. “The smart phone is the ultimate spying tool.”

Smart phones have been hacked before, but Kurtz said this was the first public demonstration of an end-to-end system able to wrest control of one remotely with just a single click on a Web link.

Targeted attacks, designed to steal intellectual property or valuable information from corporations and their executives, have become relatively common in recent years. For some time, security experts have warned that mobile devices offer a way that such attacks could become more pervasive and effective, and today’s demo lends weight to that case.

Kurtz and colleagues played out a scenario on stage that involved hacking a real, unmodified Android phone. Kurtz, playing the role of a busy investor at an industry event, received a text message claiming to be from his mobile carrier asking him to download an update to his phone’s software. When he clicked the link in that message, the phone’s browser crashed and the device rebooted. Once restarted, the device appeared unchanged, but a silent, malicious app had been installed that relayed all his phone calls and text messages to the attacker, who could also track his location on a map.

The attack was staged on a device running the 2.2 version of Google’s Android operating system, also known as Frozen Yogurt, but it made use of bugs in a component of Android’s browser that are also present in the more recent 2.3, or Gingerbread, version. Those two versions of Android account for almost 90 percent of Android devices in use today, said Kurtz. More significantly, WebKit, the browser component that was exploited, is also at the core of the Web browsers found in Apple’s iPhone and iPad devices, BlackBerry phones, and Google’s TV devices.

The attackers spent $1,400 on the black market for the details of 14 known, but not patched, bugs in WebKit. They then devised a way to use them to gain full “root” access to a device and built a complete system that would use those powers to install a remote access tool, or RAT, app that they had seized from China-based hackers.

“Nation states like Russia and China are active in developing RATs, and if we can do [this] in a few weeks, they certainly can as well,” said Dmitri Alperovitch, CrowdStrike’s chief technology officer. The RAT in the demo was a conventional app with elevated privileges that could potentially be detected by security apps available for Android, he said, but given more time, it would be possible to use the same methodology to install very hard-to-detect “rootkit” software invisible to such tools.

Kurtz tried to end on something of a positive note, saying, “the sky’s not falling. These are very targeted attacks.”

Preventing attacks like the one demonstrated on stage requires more frequent updates to mobile operating systems, said Kurtz. However, doing that is far from easy, because wireless carriers, device manufacturers, and mobile operating system providers must all be involved. As a consequence, most mobile devices today receive updates very rarely. 

Deep Dive

Computing

ASML machine
ASML machine

Inside the machine that saved Moore’s Law

The Dutch firm ASML spent $9 billion and 17 years developing a way to keep making denser computer chips.

The Steiner tree problem:  Connect a set of points with line segments of minimum total length.
The Steiner tree problem:  Connect a set of points with line segments of minimum total length.

The 50-year-old problem that eludes theoretical computer science

A solution to P vs NP could unlock countless computational problems—or keep them forever out of reach.

DHS logo glitch
DHS logo glitch

The US is worried that hackers are stealing data today so quantum computers can crack it in a decade

The US government is starting a generation-long battle against the threat next-generation computers pose to encryption.

This new startup has built a record-breaking 256-qubit quantum computer

QuEra Computing, launched by physicists at Harvard and MIT, is trying a different quantum approach to tackle impossibly hard computational tasks.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.