Android drive-by download attack via phishing SMS
A new security start-up focused on helping high-profile businesses deal with targeted attacks and advanced persistent threats (APTs) plans to showcase a drive-by download that plants malware silently on Android smart phones.
CrowdStrike, which emerged from stealth mode last week with $26 million in funding, says the attack is delivered via spear-phishing SMS messages that lure users to a link that exploits a WebKit zero-day vulnerability.
CrowdStrike's Dmitri Alperovitch told the LA Times that this attack scenario has already been spotted in the wild:
Alperovitch said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool emanating from China that was identified last year by virus firms as a so-called Trojan Horse. The malware was disguised as a Google+ app that users could download. But Google quickly removed it from its Android Market app store, which meant that few users were hit.
Alperovitch and his team reversed engineered the malware, he said, and took control of it. He then conducted an experiment in which malware was delivered through a classic "spear phishing" attack — in this case, a text message from what looks like a mobile phone carrier, asking the user to click on a link. Alperovitch said he exploited a so-called zero-day vulnerability in smartphone browsers to secretly install the malware. Zero-day vulnerabilities are ones that are not yet known by the manufacturers and anti-virus companies.
"The minute you go the site, it will download a real-life Chinese remote access tool to your phone," he said. "The user will not see anything. Once the app is installed, we'll be intercepting voice calls. The microphone activates the moment you start dialing."
The malware also intercepts texts and emails and tracks the phone's location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects.
CrowdStrike, which is headed by former McAfee executives, plans to present technical details of this issue at the RSA Conference which takes place this week in San Francisco.