Skip to Content

A chilling demonstration to a small, packed room at the RSA security conference today showed how clicking a single bad Web link while using a phone running Google’s Android operating system could give an attacker full remote control of your phone. Once George Kurtz and colleagues from security startup CrowdStrike were done, they could record phone calls, intercept text messages, and track the hacked phone’s location at all times.

“What is ubiquitous, has a camera, a microphone, knows where you are at all times, is always on, and stores your sensitive information?” asked Kurtz. “The smart phone is the ultimate spying tool.”

Smart phones have been hacked before, but Kurtz said this was the first public demonstration of an end-to-end system able to wrest control of one remotely with just a single click on a Web link.

Targeted attacks, designed to steal intellectual property or valuable information from corporations and their executives, have become relatively common in recent years. For some time, security experts have warned that mobile devices offer a way that such attacks could become more pervasive and effective, and today’s demo lends weight to that case.

Kurtz and colleagues played out a scenario on stage that involved hacking a real, unmodified Android phone. Kurtz, playing the role of a busy investor at an industry event, received a text message claiming to be from his mobile carrier asking him to download an update to his phone’s software. When he clicked the link in that message, the phone’s browser crashed and the device rebooted. Once restarted, the device appeared unchanged, but a silent, malicious app had been installed that relayed all his phone calls and text messages to the attacker, who could also track his location on a map.

The attack was staged on a device running the 2.2 version of Google’s Android operating system, also known as Frozen Yogurt, but it made use of bugs in a component of Android’s browser that are also present in the more recent 2.3, or Gingerbread, version. Those two versions of Android account for almost 90 percent of Android devices in use today, said Kurtz. More significantly, WebKit, the browser component that was exploited, is also at the core of the Web browsers found in Apple’s iPhone and iPad devices, BlackBerry phones, and Google’s TV devices.

The attackers spent $1,400 on the black market for the details of 14 known, but not patched, bugs in WebKit. They then devised a way to use them to gain full “root” access to a device and built a complete system that would use those powers to install a remote access tool, or RAT, app that they had seized from China-based hackers.

“Nation states like Russia and China are active in developing RATs, and if we can do [this] in a few weeks, they certainly can as well,” said Dmitri Alperovitch, CrowdStrike’s chief technology officer. The RAT in the demo was a conventional app with elevated privileges that could potentially be detected by security apps available for Android, he said, but given more time, it would be possible to use the same methodology to install very hard-to-detect “rootkit” software invisible to such tools.

Kurtz tried to end on something of a positive note, saying, “the sky’s not falling. These are very targeted attacks.”

Preventing attacks like the one demonstrated on stage requires more frequent updates to mobile operating systems, said Kurtz. However, doing that is far from easy, because wireless carriers, device manufacturers, and mobile operating system providers must all be involved. As a consequence, most mobile devices today receive updates very rarely. 

Deep Dive

Computing

Conceptual illustration of quantum computing circuity, in multiple colors
Conceptual illustration of quantum computing circuity, in multiple colors

Quantum computing has a hype problem

Quantum computing startups are all the rage, but it’s unclear if they’ll be able to produce anything of use in the near future.

winning team for Pwn2own 2022
winning team for Pwn2own 2022

These hackers showed just how easy it is to target critical infrastructure

Two Dutch researchers have won a major hacking championship by hitting the software that runs the world’s power grids, gas pipelines, and more. It was their easiest challenge yet.

child outside a destroyed residential building in Kiev
child outside a destroyed residential building in Kiev

Russia hacked an American satellite company one hour before the Ukraine invasion

The attack on Viasat showcases cyber’s emerging role in modern warfare.

Russia is risking the creation of a “splinternet”—and it could be irreversible

If Russia disconnects from—or is booted from— the internet’s governing bodies, the internet may never be the same again for any of us.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.