Saturday, February 25, 2012

Former McAfee Reseacher Discovers, Exploits 0-day Vulnerability in Smartphone Browsers

Smartphone SecurityHow would you feel if your smartphone recorded your phone calls and send them – along with your location, text messages and email – to an attacker?

While it sounds like something out of an action packed spy film, former McAfee cybersecurity researcher Dmitri Alperovitch says it's not only possible, but the malware and smartphone vulnerability already exists.

Alperovitch and a team conducted an experiment using an existing piece of malware, a Trojan named Nickispy.C, which they reverse engineered and took control of in order to collect sensitive data, including recorded phone calls, from smartphones.

To make things worse, Alperovitch states that no security software is capable of thwarting such attacks and while an Android-based smartphone was used in the experiment, Alperovitch states that iPhones are just as vulnerable.

Alperovitch's Experiment

In order to plant the malware, Alperovitch used a classic “spear phishing” attack method, sending a SMS message with a link from a spoofed mobile carrier number.

"The minute you go the site, it will download a real-life Chinese remote access tool to your phone. The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing," Alperovitch explained.

In addition to eavesdropping on phone conversations, the malware also intercepts text messages and emails and monitors the phone’s location.

Alperovitch – who is best known for discovering Operation Shady RAT last year – intends on demonstrating his findings at the RSA conference in San Francisco on February 29th, 2012.

With the growing popularity of smartphones, cybercriminals have been hard at work developing malware targeting mobile operating systems. Should cybercrooks decide to start spamming out text messages linking to drive-by-download mobile malware attacks, we could all be in very big trouble.

Do you use a smartphone? How do you feel about Alperovitch's findings?

[via LATimes]

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment