As mobile devices such as iPhones, BlackBerrys, Android phones and others have become more sophisticated and easy to use, many users have made them their main computing and Web-browsing devices. And that evolution naturally has caught the attention of attackers who have begun tailoring more and more of their attacks at these mobile platforms.
The most recent example of this phenomenon is the iPhone Safari bug that became public yesterday after a researcher set up a Web site that used the flaw to help users jailbreak their iPhones. Details of the bug haven’t been released, but researchers say that the technique, which simply requires a user to visit the site on an iPhone, iPad or iPod Touch, could easily be adapted for use in malicious drive-by download attacks. From all indications, the Safari exploit is not child’s play, as it requires the attack to bypass a number of security protections on the iPhone, including the built-in sandbox, DEP (Data Execution Protection) and the code-signing requirement for apps that run on Apple’s mobile devices.
But the sophistication of the exploit is a good indication of the kind of serious attention that these mobile devices are drawing from legitimate researchers and attackers alike. At the Black Hat and DEFCON conferences in Las Vegas last week there were more sessions devoted to mobile security research than ever before, including talks on hacking wireless GSM base stations, passively intercepting calls on the GSM network and many others. Offensive research on mobile security is advancing rather quickly at the moment.
One DEFCON talk in particular drew quite a bit of attention. A pair of security researchers–Nicholas Percoco and Christian Papathanasiou–showed off a rootkit designed specifically for Android phones, the first such piece of code of its kind, they said.
A story from The H Security describes the attack:
The rootkit can gain access to Android devices, either through using
unpatched vulnerabilities, or by pretending to be a legitimate app. Two
other researchers recently showed
that it’s possible to spread infected apps to thousands of devices.
Once installed, the rootkit is activated by calling the infected mobile
from a specific number. It then establishes a connection to the
attacker’s computer, which allows the phone to be controlled remotely.
As the researchers demonstrated in their talk, this gives the attacker
access to the Android phone’s SQLite database, allowing them to view,
for example, a victim’s texts or contacts.
There have been other similar proof-of-concept demonstrations recently, including some work done by researcher Jon Oberheide, who wrote a benign rootkit application called RootStrap that he uploaded to the Android Market and used to show that he could trick users into downloading a potentially malicious app. He gave the app the name “Twilight Eclipse Preview” and found that a number of users installed the free app, which didn’t do anything malicious, but had the ability to connect to a remote server and download native ARM code. That technique easily could be turned into a malicious attack with just a few tweaks.
And researcher Tyler Shields of Veracode demonstrated a related technique for getting a potentially malicious application into the BlackBerry App World marketplace earlier this year. His spyware app had the ability to intercept text messages and steal data from BlackBerrys. And this is just the beginning of what is likely to be an avalanche of similar attacks in coming years.
“There are extremely technical approaches like the OS attacks, but that
stuff is much harder to do,” Shields said at the time his attack was released. “From the attacker’s
standpoint, it’s too much effort when you can just drop something into
the app store. It comes down to effort versus reward. The spyware Trojan
approach will be the future of crime. Why spend time popping boxes when
you can get the users to own the boxes themselves? If you couple that
with custom Trojans and the research I’ve done, it’s super scary.”