Android drive-by download attack via phishing SMS

Summary:A new security start-up focused on helping businesses deal with targeted attacks plans to showcase a drive-by download that plans malware silently on Android smart phones.

A new security start-up focused on helping high-profile businesses deal with targeted attacks and advanced persistent threats (APTs) plans to showcase a drive-by download that plants malware silently on Android smart phones.

CrowdStrike, which emerged from stealth mode last week with $26 million in funding, says the attack is delivered via spear-phishing SMS messages that lure users to a link that exploits a WebKit zero-day vulnerability.

CrowdStrike's Dmitri Alperovitch told the LA Times that this attack scenario has already been spotted in the wild:

Alperovitch said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool emanating from China that was identified last year by virus firms as a so-called Trojan Horse. The malware was disguised as a Google+ app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users were hit.

Alperovitch and his team reversed engineered the malware, he said, and took control of it. He then conducted an experiment in which malware was delivered through a classic "spear phishing" attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies.

"The minute you go the site, it will download a real-life Chinese remote access tool to your phone," he said. "The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing."

The malware also intercepts texts and emails and tracks the phone's location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects.

CrowdStrike, which is headed by former McAfee executives, plans to present technical details of this issue at the RSA Conference which takes place this week in San Francisco.

[ SEE: Ten little things to secure your online presence ]

Topics: Security, Malware, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.