Darlene Storm

Mobile RAT attack makes Android the ultimate spy tool

March 01, 2012 11:50 AM EST

Your smartphone is an always-on and always-connected digital extension of your life which will be used by attackers to covertly steal your sensitive data and spy on you.

George Kurtz, co-author Hacking Exposed and co-founder of new security start-up CrowdStrike, called your smartphone the "ultimate spy tool." If attackers could covertly access your smartphone, they could use it as a hidden camera, secretly record video, tap into the microphone to eavesdrop or make audio recordings, and track your movements via GPS location. In the BYOD (bring your own device) corporate world, a compromised mobile phone could be used to listen in to business meetings for espionage or for insider trading. When it comes to smartphone vulnerabilities and mobile malware, we need to stay vigilant and to be aware of what threats are coming, what's here now, and how we can best protect ourselves. The next wave of attack will come in the form of a mobile RAT — even more worrisome is that the capabilities of today's mobile RAT is only going to get more powerful tomorrow.

At the RSA conference, there was a particularly scary session called Hacking Exposed: Mobile RAT Edition. CrowdStrike co-founder Dmitri Alperovitch showed an end-to-end targeted attack on an Android smartphone, starting with social engineering to trick the user into clicking a link, silently installing malware via a drive-by download, and then covertly taking control of the device, accessing the microphone and camera, to steal sensitive information.

The Android ecosystem is booming according to the Google Mobile Blog. "With a year-on-year growth rate of more than 250%, 850,000 new Android devices are activated each day, jetting the total number of Android devices around the world past 300 million." The Android Market now has "more than 450,000 apps today, with over one billion app downloads happening every month." Eventually all PC attacks will migrate to the mobile device arena, so guess what Android users? You are the new low-hanging fruit, own a 'cyber menace', and you are the most vulnerable to smartphone hacking.

The way it works is for an attacker to send an SMS appearing to be from a trusted source, such as from your wireless carrier alerting you that your data plan is about to expire unless you click on a link to renew the service. "For a buck or two, you could send a spoofed SMS message," Alperovitch noted. "The minute you go the site, it will download a real-life Chinese remote access tool to your phone," he told the LA Times. "The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing." CrowdStrike had a Command & Control server which showed real-time GPS tracking of the infected phone. After clicking on the mapped device, an attacker can to listen in or record calls and text messages.

The CrowdStrike team reverse engineered a Remote Access Tool (RAT) called Nickispy (a RAT from China that successfully disguised itself as a Google+ app). Then they crafted an exploit for a flaw in WebKit, the open-source software which is built into the Android's Web browser — but is also in RIM's BlackBerry, Apple's Safari and iOS devices like iPhone and iPad, as well as other software programs such as Google's Chrome browser. Alperovitch told Reuters, "With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices." He told CNET, "We weaponized it on the Android platform for this demo." This attack was on Android 2.2, also known as Froyo, a platform on only 27.8% of Android devices. According to Android Developers, Gingerbread is the most widely distributed OS, installed on 59% of Android devices.

What security is there to thwart the attack? Mobile security firm Lookout told CNET, "In order to fix it, you need a firmware update for the mobile devices. This will come with a new version of iOS or a new Android firmware update pushed by your operator, which can take weeks or months, or never happen."

In a recent RSA interview and podcast with Linda Lynch, when asked what keeps him up at night, Alperovitch said (around the 7:00 mark):

The increasingly aggressive behavior of nation states out there. They're hostile to the United states, hostile to the Western world, countries like China, Russia, Iran, North Korea and a number of others. They're really developing very sophisticated cyber offensive capabilities. Today they are mostly being used for espionage activities which is having  just a tremendous impact on our economy from the intellectual property that is being stolen each and every day from corporations and governments. But when you start thinking about potentially destructive attacks, those that destroy systems, either physical systems or virtual systems, those that destroy data or modify data, the world can get pretty scary.

Image credit: Stuart Chalmers