Security researchers will be demonstrating an end-to-end phishing attack on Google Android phones that utilizes a zero-day vulnerability in Apple’s WebKit technology at the upcoming RSA Conference.
The presentation, slated for Feb. 29, will be a coming-out party of sorts for new security firm CrowdStrike, which was founded by former McAfee executives Dmitri Alperovitch and George Kurtz. Though Alperovitch was mum on the exact details of the WebKit bug, he explained that in the demonstration, the vulnerability is exploited if the user clicks a link. The result is the installation of a malicious remote access tool without any further user intervention.
“The goal was to demonstrate that the same threat that we face from targeted attacks on the personal computers – spear-phish delivery of an exploit which drops malware – will be a major threat on the mobile devices, as opposed to the dangers of someone downloading a malicious app from an App Store, which is what everyone is focusing on today,” he told Threatpost in an email. “To make the demo work, we weaponized a vulnerability in Apple’s WebKit technology, which is used in Android, iPhones, iPads, and [the] latest BlackBerry browsers. Due to time constraints, we only made the demo work on Android but we believe the same attack vector applies to other mobile devices as well.”
WebKit is a layout engine used by Apple Safari and Google Chrome browsers. In an interview with the LA Times, Alperovitch said that he used the vulnerability to help deliver the Nickispy Trojan. If it is installed on a device, the malware records phone calls and steals information. In the demonstration, the malicious link leading to the malware is delivered via text message.
“Nickispy was discovered on third-party Chinese Android markets and [has] not been seen anywhere else,” he told Threatpost. “By default [it] sends intercepted data to a phone number in China. We reverse engineered the protocol, re-implemented the Command & Control server and commandeered Nickispy to have full control of the device ourselves in the demo.”
The RSA Conference will run from Feb. 27 to March 2 in San Francisco.