Zero-day Smartphone Vulnerability exposes location and User Data
The Hacker News

Smartphones are increasingly becoming the preferred device for both personal and professional computing, which has also attracted hackers to increase their focus on creating malware and other security vulnerabilities for these devices. A former McAfee researcher "Dmitri Alperovitch" has used a previously unknown hole in smartphone browsers to plant China-based malware that can record calls, pinpoint locations and access user texts and emails.

He conducted the experiment on a phone running Android operating system, although he saysApple Inc.'s iPhones are equally vulnerable. Android is particularly vulnerable because it has become the main operating system for mobile devices. Today most smartphones are android-based therefore there is a huge dividend for hackers to write Android-targeted malware compared to other operating systems.

Alperovitch, who has consulted with the U.S. intelligence community, is scheduled to demonstrate his findings Feb. 29 at the RSA conference in San Francisco, an annual cyber security gathering. Alperovitch and his team reversed engineered the malware called Nickispy and and took control of it.

A nice little piece of Android spyware, commonly known as 'NickiSpy.C' . For those unfamiliar, NickiSpy gained quite a bit of notoriety around July/August 2011, as it was one of the first malicious Android applications to have the ability to record phone calls. Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies.

The malware also intercepts texts and emails and tracks the phone's location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects. Like most pieces of Android spyware/malware, installation is dependant on the end-user. In an experiment he also delivered it through a classic "spear phishing" attack.

Protect from Malware : For Android, the danger is downloading apps outside of Google's App Market . If you're off somewhere getting apps from sources you don't know or trust, there could be consequences. For iPhone users, the line really is whether you jailbreak or not. Jailbreaking can be pretty easy, and getting pirated or bootlegged apps can seem like a great way to save money, but in doing so, you're basically handing out the smart phone equivalent of a front door key to Lord only knows.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.