Security researchers will be demonstrating an end-to-end phishing attack on Google Android phones that utilizes a zero-day vulnerability in Apple’s WebKit technology at the upcoming RSA Conference.
The presentation, slated for Feb. 29, will be a coming-out party of sorts for new security firm CrowdStrike, which was founded by former McAfee executives Dmitri Alperovitch and George Kurtz. Though Alperovitch was mum on the exact details of the WebKit bug, he explained that in the demonstration, the vulnerability is exploited if the user clicks a link. The result is the installation of a malicious remote access tool without any further user intervention.
“The goal was to demonstrate that the same threat that we face from targeted attacks on the personal computers – spear-phish delivery of an exploit which drops malware – will be a major threat on the mobile devices, as opposed to the dangers of someone downloading a malicious app from an App Store, which is what everyone is focusing on today,” he told Threatpost in an email. “To make the demo work, we weaponized a vulnerability in Apple’s WebKit technology, which is used in Android, iPhones, iPads, and [the] latest BlackBerry browsers. Due to time constraints, we only made the demo work on Android but we believe the same attack vector applies to other mobile devices as well.”
WebKit is a layout engine used by Apple Safari and Google Chrome browsers. In an interview with the LA Times, Alperovitch said that he used the vulnerability to help deliver the Nickispy Trojan. If it is installed on a device, the malware records phone calls and steals information. In the demonstration, the malicious link leading to the malware is delivered via text message.
“Nickispy was discovered on third-party Chinese Android markets and [has] not been seen anywhere else,” he told Threatpost. “By default [it] sends intercepted data to a phone number in China. We reverse engineered the protocol, re-implemented the Command & Control server and commandeered Nickispy to have full control of the device ourselves in the demo.”
The RSA Conference will run from Feb. 27 to March 2 in San Francisco.
Webkit is as insecure as Java, turn off Java and use Firefox.
Webkit always has been pretty bad, Apple is incompetent and Google just keeps throwing more money at it to fix it. Apple doesn’t even supply security updates for operating system versions more than 4 years old.
That is an extreme position. WebKit is not as insecure as Java. Java exploits are usually highly exploitable cross-platform. They are generally privilege management issues (due to Java’s silly design of privileged code running in unprivileged context). WebKit exploits are usually partially or unreliably exploitable, relying on memory corruption in addition to JavaScript heap feng-shui. They are generally use after free issues, due to a highly complex codebase based on C++.