Hacking Experts at the Black Hat hacking conferrence in Las Vegas have demonstrated ways to attack Android Smartphones using methods, they said work on virtually all such devices in use today, despite of recent efforts by Google to boost protection of the Android phones.
Around 6,500 corporate and government security technology experts gathered at the conference to learn about the emerging threats to their networks. Sean Schutle of trustwave’s Spider Labs said,”Google is making progress, but the authors of malicious software are moving forward”.
Google spokeswoman Gina scigilano declined to comment on the security concerns or the new research.
Charlie Miller, an Accuvant researcher demonstrated a method for delivering malicious code to Android Smartphones which are using NFC (Near field Communications) which is a latest Android feature. It allows the users to share datas with friends even make payments by bringing another Android Smartphone or payment terminals with NFC within a few centimeters.
“I can take over your phone,” Miller said.
He also added that he had figured out how to create a postage stamp size malicious device which can be stuck in an inconspicious place like near a cash register at a restraurant. When an Android Smartphone user walks near it his/her phone would get infected, said Miller.
Charlie Miller has spent 5 years as a global network exploit analyst at the US National Security Agency, where his tasks included breaking into foreign computer systems.
Miller and another Hacking Expert, Georg Wicherski of CrowdStrik, have also infected an Android Phone with a piece of malicious code which Wicherski revealed in February. According to Wicherski that piece of malicious software exploits a security flaw in the Android browser that was publicly disclosed by Google’s Chrome browser development team. He added that Google has fixed the flaw in Chrome, which is frequently updated, so that most users are now safe and protected. But Android users are still under threat as carriers and device manufacturers have not pushed those fix or patches out to the users.
Experts also stated that Apple iPhones & iPads don’t face such problems because Apple has been able to get carriers to push out security updates fairly and quickly as soon as they are released. According to two Trustwave researchers who have developed a technique for evading Google’s “Bouncer” technology for identifying malicious programs in its Google Play Store.
They created a text-message blocking application that uses a lawful programming tool known as java script bridge. Java script bridge lets developers remotely add new features to a program without using the normal Android update process. According to Trustwave, companies including Facebook and LinkedIn use Java Script Bridge for legitimate purposes which could also be exploited maliciously.
To prove their researchs, they loaded malicious code onto one of their Android smartphones and remotely gained control of the browser and once they did that, they could download more code and grant total control. And nothing has been cleared about the malicious device detection over the smartphone.
“Hopefully Google can solve the problem quickly,” said Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs. “For now, Android is the Wild West”.