Hidden Browser Flaw Threatens Apple, Android Phones Alike
Targeted phishing strikes traditionally levied on PCs are now making their way into the mobile cybercrime world, as a pair of security researchers will demonstrate at a security conference this week.
The vulnerability exists in WebKit, a software engine used by Google's Chrome Web browser and Apple's Safari browser. Testing their proof-of-concept hack on a Google Android-powered phone, the researchers from the security firm CrowdStrike were able to redirect the target smartphone's browser directly to a Chinese remote access tool capable of intercepting voice calls, tracking the phone's location and harvesting emails and texts.
As it stands now, cybercriminals peddling mobile malware have to get a corrupt app into the Android or Apple app store, and then convince the victim to download its host app — a tricky prospect because Google and Apple both regulate their app markets. In this instance, however, the researchers bypassed the app markets entirely and got the malware on the phone simply by exploiting the zero-day WebKit flaw.
"This really showcases that the current security model for smartphones is inadequate," Dmitri Alperovitch, a former McAfee researcher, told the Los Angeles Times. With his business partner George Kurtz, a former chief technology officer for McAfee, Alperovitch formed CrowdStrike.
Because WebKit powers both phones' browsers, the glitch leaves both Android devices and iPhones equally vulnerable.
The team is scheduled to demonstrate the flaw tomorrow (Feb. 29) at the RSA security conference in San Francisco.
The CrowdStrike experts used an existing piece of malware, the Nickispy Trojan, as their weapon of choice. First discovered last August, Nickispy hid in rigged Android apps, including a fake Google+ app, and when it hit users' phones, it recorded and stored conversations and sent information to remote servers.
Alperovitch and Kurtz reverse engineered Nickispy and then deployed it in a spear-phishing attack — a tactic by which criminals send a legitimate-looking message with enough personal details to convince the victims it's meant for them. To take advantage of the WebKit glitch, in their demonstration they used a text message that appeared to come from a mobile phone carrier asking the user to click on a link.
As soon as the victim clicks the link, Alperovitch said the browser automatically installs the Trojan, and all the while "the user will not see anything."
There is no security software to stop this proof-of-concept hack from doing real danger to smartphones if hackers got their hands on it, he said.