Just by clicking on a link with a smart phone, discovering a problem to turn it into the ultimate spy tool

ByKristen Nicole

It was reported that when you click on a link on an Android smartphone, there is a security problem that an attacker can control full remote control. It has been demonstrated with actual machine demonstration, and there is a possibility that iPhone, iPad, BlackBerry, GoogleTV terminals are also at the same risk other than Android.

How a Web Link Can Take Control of Your Phone - Technology Review


It is being held in San FranciscoRSA Conference 2012At the security technology companyCrowdStrikeGeorge Kurzz and others have found a malfunction that would allow an attacker to control the terminal remotely by clicking the wrong link on an Android terminal.

"There is a camera, there is a microphone, a terminal that always knows where you are and power is on and stores all the important information ... what is"Ubiquitous"Kurzu is asking. "A smartphone is the ultimate spy tool."

Although smartphones were hacked before, there were cases before, but it was first time that a demonstration was performed publicly. In this demonstration, Mr. Kurz succeeded in recording the contents of the call, stealing text messages, and tracking the location of the phone. In the future, similar attacks will be generalized to target intellectual property of corporations and useful information of company executives, Kurz pointed out. Already security experts alarmed that attacks on mobile terminals will increase steadily and the content of attacks will become effective, but this demo shows exactly this.

Mr. Kurz and others went on to demonstrate that the "busy investors in industrial events" that Kurtz will play encounters danger, using the real and unmodified Android terminal. A text message saying "Download the file to update the application" was received by Kurzu, and when clicking the link in the message, the browser crashed and the terminal restarted. When the reboot was completed, the terminal worked the same way as before, but the attacker had already set up to forward the contents of the call and text message, and the terminal location was also trackable.

Demo was done on Android 2.2-equipped terminal, but because it uses bug in browser, it can also happen on Android 2.3 using the same browser. These two versions account for 90% of all Android. More importantly, WebKit based browsers are also used on iPhones, iPads, BlackBerry, GoogleTV, and Kurtz.

An attacker can obtain information on 14 WebKit unproved bugs by paying 1,400 dollars (about 114,000 yen) in black market. By attack based on this informationRoot authorityYou can acquire the remote access tool, you can install it. "In Russia and ChinaRAT (Remote Administration Tool)If the development is thriving and we can make it in a few weeks, they will do the same way, "CroudStrike's chief technology officer, Dmitri Alperovitch says.

Mr. Kurz pointed out that in order to prevent the attack like this time more OS must be updated more frequently. However, the hurdle is high because communication operators, terminal makers and OS manufacturers can not cooperate, and updates are done only on a few terminals.

Although it is troublesome that there are incompleteness in security measures, even as a user, recognizing from the beginning that there is a possibility of leakage of information on smartphone, it is important not to put all important information in one terminal It is necessary to devise the use of. Finally it is myself to protect yourself.