Researchers discover dangerous ways computer worms are spreading among smartphones

Apr 09, 2014
Professor Kevin Du conducted research on HTML-5 apps at Syracuse University's L.C. Smith College of Engineering and Computer Science. Credit: Syracuse University

Professor Kevin Du and a team of researchers from the College of Engineering and Computer Science at Syracuse University have recently discovered that some of the most common activities among smartphone users—scanning 2D barcodes, finding free Wi-Fi access points, sending SMS messages, listening to MP3 music and watching MP4 videos—can leave devices vulnerable to harmful "computer worms."

These worms can infiltrate smartphones through apps designed in a specific computer language/code—and they can do more harm than just steal the device owner's personal information, researchers warn. They can also spread to the owner's friends and personal contacts.

"These attacks target an increasingly popular type of known as HTML5-based app," says Du who worked on the research with students Xing Jin, Tongbo Luo and Derek G. Tsui. "Traditionally, apps are developed using a platform's native technologies, such as Java in Android and Object C in iOS. HTML5-based apps do not use platform-dependent native technologies, but use JavaScript instead, which is universally supported by all platforms.

"The advantage for developers is clear: write an app once and it can run on all major platforms," Du explains.

The team has so far identified 14 vulnerable HTML5-based apps from three types of mobile systems, including Android, iOS and Blackberry. Developers of those vulnerable apps have been informed and in an effort to give them time to fix the problem, researchers have decided not to disclose the names of the vulnerable apps.

This video is not supported by your browser at this time.
Professor Kevin Du and his team at Syracuse University have identified apps that could cause problems for smartphone users, allowing hackers easy access to sensitive information. Credit: Syracuse University News Services

"Imagine you're at the airport and you want to find the free Wi-Fi. When you scan, your phone is going to display the Wi-Fi access points. That could be an easy channel for a hacker to inject malicious worm code into your smartphone," Du says. "Once the worm takes control, it can duplicate itself, and send copies to your friends via SMS messages, multimedia file sharing, and other methods."

Researchers are currently working to develop solutions to help users and app developers detect and prevent such attacks.

Details of how attacks can occur this attack are described in a paper titled "XDS: Cross-Device Scripting Attacks on Smartphones through HTML5-based Apps" that the team will present at the Mobile Security Technologies workshop in May.

Du and his team are continuing their research to see what other apps might be at risk.

"We are launching a large scale search in the Google Play market and expect to find more vulnerable apps," says Du. "By 2016, it's estimated that more than fifty percent of the will be produced using HTML-5 technology. This is just a disaster waiting to happen," he adds.

Explore further: Researchers bypass Apple security gauntlet

More information: www.cis.syr.edu/~wedu/attack/

add to favorites email to friend print save as pdf

Related Stories

Software analyzes apps for malicious behavior

Mar 07, 2014

Last year at the end of July the Russian software company "Doctor Web" detected several malicious apps in the app store "Google Play". Downloaded on a smartphone, the malware installed—without the permission ...

Security holes in smartphone apps (w/ Videos)

Apr 17, 2013

(Phys.org) —Popular texting, messaging and microblog apps developed for the Android smartphone have security flaws that could expose private information or allow forged fraudulent messages to be posted, ...

Fighting the rise of the app attackers

Feb 26, 2014

Researchers have been given a share of £3 million by the Engineering and Physical Sciences Research Council (EPSRC) to counter cyber-criminals who are using malicious apps which can collude with each other to infect the ...

Recommended for you

Watching others play video games is the new spectator sport

Aug 29, 2014

As the UK's largest gaming festival, Insomnia, wrapped up its latest event on August 25, I watched a short piece of BBC Breakfast news reporting from the festival. The reporter and some of the interviewees appeared baff ...

SHORE facial analysis spots emotions on Google Glass

Aug 28, 2014

One of the key concerns about facial recognition software has been over privacy. The very idea of having tracking mechanisms as part of an Internet-connected wearable would be likely to upset many privacy ...

User comments : 6

Adjust slider to filter visible comments by rank

Display comments: newest first

kris2lee
2.3 / 5 (3) Apr 09, 2014
Can they describe a real attack vector as this just warm air moving?
alfie_null
not rated yet Apr 10, 2014
Can they describe a real attack vector as this just warm air moving?

They discover vulnerabilities. How would waiting for someone else to exploit them help things?

I notice my neighbor's front door is open and he is away. Should I phone him, or maybe alert the police? Or should I wait until I see someone carting away valuables, electronics, etc. from his house?
bluehigh
not rated yet Apr 10, 2014
In my paranoia I think my neighbours door is unlocked. I get really anxious and needing the attention because I want to be a hero, I wake the entire neighbourhood. In a panic, I ask them if maybe they forgot to lock their doors.

Cross site (device) scripting is a known vector for malicious activity. Rather than beat up HTML5 or approach "app" developers using JavaScript, these alarmists might well have informed the implementation distributors of any vulnerabilty in their JavaScript interpreter.

antialias_physorg
5 / 5 (1) Apr 10, 2014
Can they describe a real attack vector as this just warm air moving?

It sounds just like standard XSS (cross site scripting), which is one of the 'oldest' forms of Javascript attacks.
Note that HTML5 is not a programming language, so this isn't something that is particular to HTML5 based content but to any content with embedded scripts.
The difference is that HTML5 is being used also as a basis for games and apps in general (as opposed to just websites for older versions of HTML) - so the known Javascript vulnerabilities extend to these now as well.
Horus
not rated yet Apr 17, 2014
14 vulnerable HTML5-based apps

I stopped caring at this point. Buying only Cocoa apps inside the AppStore is all that I buy.
ryggesogn2
not rated yet Apr 17, 2014
My Casio G-shock won't catch it.
"Montgomery Scott: Aye, sir. The more they overthink the plumbing, the easier it is to stop up the drain. "