Researchers show new security threat against 'smart phone' users

Feb 22, 2010
Rutgers computer science graduate student Jeffrey Bickford with smart phone used to test malicious "rootkit" software, which attacks the phone's operating system. Researchers showed how rootkits could cause a smart phone to eavesdrop on a meeting, track its owner's travels, or rapidly drain its battery to render the phone useless. Credit: Carl Blesch

Computer scientists at Rutgers University have shown how a familiar type of personal computer security threat can now attack new generations of smart mobile phones, with the potential to cause more serious consequences.

The researchers, who are presenting their findings at a mobile computing workshop this week in Maryland, demonstrated how such a software attack could cause a smart phone to eavesdrop on a meeting, track its owner's travels, or rapidly drain its battery to render the phone useless. These actions could happen without the owner being aware of what happened or what caused them.

" are essentially becoming regular computers," said Vinod Ganapathy, assistant professor of computer science in Rutgers' School of Arts and Sciences. "They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by , or 'malware.'"

Smart phones are cellular telephones that also offer Internet accessibility, texting and e-mail capabilities and a variety of programs commonly called "apps," or applications.

Ganapathy and computer science professor Liviu Iftode worked with three students to study a nefarious type of malware known as "rootkits." Unlike viruses, rootkits attack the heart of a computer's software - its operating system. They can only be detected from outside a corrupted operating system with a specialized tool known as a virtual machine monitor, which can examine every system operation and data structure.

monitors exist for desktop computers, but in current form, they demand more processing resources and energy than a portable phone can currently support.

Rootkit attacks on smart phones or upcoming tablet computers could be more devastating because smart phone owners tend to carry their phones with them all the time. This creates opportunities for potential attackers to eavesdrop, extract personal information from phone directories, or just pinpoint a user's whereabouts by querying the phone's Global Positioning System (GPS) receiver. Smart phones also have new ways for malware to enter the system, such as through a Bluetooth radio channel or via text message.

"What we're doing today is raising a warning flag," Iftode said. "We're showing that people with general computer proficiency can create rootkit malware for smart phones. The next step is to work on defenses."

In one test, the researchers showed how a rootkit could turn on a phone's microphone without the owner knowing it happened. In such a case, an attacker would send an invisible text message to the infected phone telling it to place a call and turn on the microphone, such as when the phone's owner is in a meeting and the attacker wants to eavesdrop.

In another test, they demonstrated a rootkit that responds to a text query for the phone's location as furnished by its GPS receiver. This would enable an attacker to track the owner's whereabouts. Finally, they showed a rootkit turning on power-hungry capabilities, such as the Bluetooth radio and GPS receiver to quickly drain the battery. An owner expecting remaining battery life would instead find the phone dead.

The researchers are careful to note that they did not assess how vulnerable specific types of smart phones are. They did their work on a phone used primarily by software developers versus commercial phone users. Working within a legitimate software development environment, they deliberately inserted rootkit malware into the phone to study its potential effects. They did not find a vulnerability that a real malware attacker would have to exploit.

The research team is presenting its findings at the International Workshop on Mobile Computing Systems and Applications (HotMobile 2010). Working with Ganapathy and Iftode were Jeffrey Bickford and Ryan O'Hare, who worked on the project as undergraduates, and Arati Baliga, who worked on it as a postdoctoral researcher. The research was supported by the National Science Foundation and the U.S. Army.

Explore further: Powerful new software plug-in detects bugs in spreadsheets

Related Stories

Grisoft Offers Free Rootkit Removal

Apr 11, 2007

Grisoft, makers of the popular AVG Antivirus, today released a free tool specifically aimed at eliminating malicious software that hides itself using rootkit techniques.

The malware attack against mobile phones is mounting

Dec 23, 2004

The security challenges in the mobile environment are similar to the problems we have encountered in the PC world. Open platforms are becoming popular in smartphones, for example the Symbian operating system is used in more ...

New study describes risk of mobile phone virus attacks

Jun 11, 2009

Traditional cell phones have been immune to viruses because they lack standardized operating systems. However, as smart phones rapidly increase in market share, viruses pose a serious threat to mobile communications.

Recommended for you

Researchers developing algorithms to detect fake reviews

Oct 21, 2014

Anyone who has conducted business online—from booking a hotel to buying a book to finding a new dentist or selling their wares—has come across reviews of said products and services. Chances are they've also encountered ...

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

Skepticus
not rated yet Feb 22, 2010
...or rapidly drain its battery to render the phone useless...

Can it make major power re-routing and short-circuiting the batteries too, to make a phone explode?
abhishekbt
not rated yet Feb 23, 2010
Can it make major power re-routing and short-circuiting the batteries too, to make a phone explode?


I would say No. Based on my limited knowledge, short circuiting or even re-routing would possibly require hardware changes and can't be done remotely.

Even if they found out a way to flash out the firmware of the phone remotely, I doubt they could cause so much damage to make it explode.

Noteworthy in the example is, even when they wan't to drain battery, they can't do much other than turn on bluetooth and wifi at the same time.

Basically, whatever you can do, they can do remotely.
Now, can you make your own phone go boom?
Ricochet
not rated yet Feb 23, 2010
They could cause the browser to go to a certain webpage, which in turn could have a javascript that runs on the phone and causes it to reload the page over and over again. That would drain the battery REAL quick. On the newer smartphones that multitask they could do that with several instances of the browser.