Cyber-security expert finds new flaw in smartphones

Feb 24, 2012 By Ken Dilanian

Just as U.S. companies are coming to grips with threats to their computer networks emanating from cyber-spies based in China, a noted expert is highlighting what he says is an even more pernicious vulnerability in smartphones.

Dmitri Alperovitch, the former McAfee Inc. cyber security researcher best known for identifying a widespread China-based cyber-espionage operation dubbed Shady Rat, has used a previously unknown hole in smartphone browsers to plant China-based that can commandeer the device, record its calls, pinpoint its location and access user texts and emails. He conducted the experiment on a phone running .'s operating system, although he says Apple Inc.'s iPhones are equally vulnerable.

"It's a much more powerful attack vector than just getting into someone's computer," said Alperovitch, who just formed a new security company called CrowdStrike with former McAfee George Kutz.

Alperovitch, who has consulted with the U.S. , is scheduled to demonstrate his findings Feb. 29 at the RSA conference in San Francisco, an annual gathering. The Shady Rat attack he disclosed last year targeted 72 government and corporate entities for as long as five years, siphoning unknown volumes of confidential material to a server in China.

Alperovitch said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool from China that was identified last year by anti-virus firms as a so-called . The malware was disguised as a + app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users were hit.

Alperovitch and his team reverse-engineered the malware, he said, and took control of it. He then conducted an experiment in which malware was delivered through a classic "spear phishing" attack - in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited what's known as a zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies.

"The minute you go the site, it will download a real-life Chinese remote access tool to your phone," he said. "The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing."

The malware also intercepts texts and emails and tracks the phone's location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects.

There is no security software that would thwart it, he said.

As smartphone use has exploded, malware has not been as much of a problem as it has with laptops and desktops, Alperovitch said, because most people download applications through app stores that are regulated by Google and Apple. If cyber-thieves and spies figure out a way to get malware on the devices by bypassing the app store - as Alperovitch says he has demonstrated - it could cause huge problems.

"This really showcases that the current security model for smartphones is inadequate," he said.

Earlier this month, the top U.S. intelligence official, James Clapper, accused China and Russia of engaging in "wholesale plunder of our intellectual property" through cyber-attacks. Both countries deny a state-sponsored policy of cyber-espionage. The U.S. says it doesn't steal trade secrets or intellectual property. Western business executives who travel to China these days frequently take extraordinary computer security precautions, including ensuring that any device they bring to China is never again connected to their corporate networks.

Last year, anti-virus firm Trend Micro Inc. found a Chinese website that charged $300 to $540 to customers who wanted to spy on smartphones that ran Symbian or Windows Mobile operating systems. The website offered to send Nickispy as an attachment to a multimedia message.

Explore further: Android gains in US, basic phones almost extinct

4.9 /5 (9 votes)
add to favorites email to friend print save as pdf

Related Stories

Malicious programmers focus on smartphones, tablets

May 04, 2011

Malicious programmers are always looking for new targets. While smartphones and tablets replace PCs as the gadgets we use for messaging, Web surfing and even doing business, some shady characters are starting to target these ...

Staggering surge in Android gadget viruses: Juniper

Nov 16, 2011

The arsenal of malicious code aimed at Android-powered gadgets has grown exponentially, with criminals hiding viruses in applications people download to devices, according to Juniper Networks.

Recommended for you

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

Hackathon team's GoogolPlex gives Siri extra powers

Apr 17, 2014

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

dbsi
not rated yet Feb 25, 2012
Why should it be impossible for virus scanner to recognize the signature of a malware like Nickspy and what's the principal difference betwee a spoofed text message and a spoofed email?
Shifty0x88
not rated yet Feb 25, 2012
Well in theory you(a program) could just scan the source code when the app is submitted to the app store(I don't know if that really happens but would make sense), and check for any API calls in the program that you deem "sensitive" and check it for bad parameters, and basically figure out what it is trying to do to see if it is benign or not.

A program could probably catch most but not all of these violations in a program, or if it was cautiously programmed, have a lot of false positives, which you would somehow have to deal with it.

The Problem is: Google chose Java for the UI and they have a full API implementation in Java(SDK), as well as their NDK(Native Development Kit), which gives it to you in C/C , so that's a lot of checking.

Java makes it harder because you actually have to watchdog it to check for a good piece of malware, which takes time, money, and lots of computers, virtual and/or real. It "should" be done before it goes on the app market to protect the users(AAPL)
blazingspark
not rated yet Feb 25, 2012
Smartphones still have very limited bandwidth and processing power. Wouldn't you notice it churning through your data allowance as you make voice calls, etc?

The browsers in smartphones are also very limited and sandboxed. I'm suprised it has the permissions needed to install apps. I guess all this bugware is still in it's infancy.

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

Floating nuclear plants could ride out tsunamis

When an earthquake and tsunami struck the Fukushima Daiichi nuclear plant complex in 2011, neither the quake nor the inundation caused the ensuing contamination. Rather, it was the aftereffects—specifically, ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...