Researchers to Detail WebKit Zero-Day on Android Phones at RSA Conference

Security researchers will be demonstrating an end-to-end phishing attack on Google Android phones that utilizes a zero-day vulnerability in Apple’s WebKit technology at the upcoming RSA Conference.

Security researchers will be demonstrating an end-to-end phishing attack on Google Android phones that utilizes a zero-day vulnerability in Apple’s WebKit technology at the upcoming RSA Conference.

The presentation, slated for Feb. 29, will be a coming-out party of sorts for new security firm CrowdStrike, which was founded by former McAfee executives Dmitri Alperovitch and George Kurtz. Though Alperovitch was mum on the exact details of the WebKit bug, he explained that in the demonstration, the vulnerability is exploited if the user clicks a link. The result is the installation of a malicious remote access tool without any further user intervention. 

“The goal was to demonstrate that the same threat that we face from targeted attacks on the personal computers – spear-phish delivery of an exploit which drops malware – will be a major threat on the mobile devices, as opposed to the dangers of someone downloading a malicious app from an App Store, which is what everyone is focusing on today,” he told Threatpost in an email. “To make the demo work, we weaponized a vulnerability in Apple’s WebKit technology, which is used in Android, iPhones, iPads, and [the] latest BlackBerry browsers. Due to time constraints, we only made the demo work on Android but we believe the same attack vector applies to other mobile devices as well.”

WebKit is a layout engine used by Apple Safari and Google Chrome browsers. In an interview with the LA Times, Alperovitch said that he used the vulnerability to help deliver the Nickispy Trojan. If it is installed on a device, the malware records phone calls and steals information. In the demonstration, the malicious link leading to the malware is delivered via text message.  

“Nickispy was discovered on third-party Chinese Android markets and [has] not been seen anywhere else,” he told Threatpost. “By default [it] sends intercepted data to a phone number in China. We reverse engineered the protocol, re-implemented the Command & Control server and commandeered Nickispy to have full control of the device ourselves in the demo.”

The RSA Conference will run from Feb. 27 to March 2 in San Francisco. 

Suggested articles

Discussion

  • Anonymous on

    Webkit is as insecure as Java, turn off Java and use Firefox.
  • Anonymous on

    Webkit always has been pretty bad, Apple is incompetent and Google just keeps throwing more money at it to fix it. Apple doesn't even supply security updates for operating system versions more than 4 years old.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.