Researcher Charlie Miller warned, “I can take over your phone” and proceeded to demonstrate a method for delivering malicious code to Android phones using a device the size of a postage stamp. Miller was just one of 6,500 information security professionals meeting in Las Vegas for the recent Black Hat convention.
Miller took advantage of a new Android feature known as “Near Field Communications” to get malware onto Androids. The feature makes it possible for users to share photos, make payments and exchange other data merely by bringing Android phones within a few centimeters of similarly equipped devices, i.e., smartphones or payment terminals.
Miller, who spent five years as a global network exploit analyst at the U.S. National Security Agency, where his job included breaking into other countries’ computer systems, created a postage-size stamp device that could be planted near a cash register at a restaurant for example. All an Android user had to do was walk by the device to have his/her phone infected.
According to a piece on the huffingtonpost.com, Miller and hacking expert, Georg Wicherski, also infected an Android phone with malicious code, which exploited a security flaw in Google Chrome for Android.
Google fixed the flaw, and because Chrome is frequently updated, most users are protected against it. However, some users, notes Wicherski, are not protected. That’s because carriers and device manufacturers have not pushed those fixes or patches out to users.
The huffingtonpost.com quotes security expert Marc Maiffret saying, “Google has added some great security features, but nobody has them.”
While Google has had difficulty getting carriers to quickly push out security updates, in that regard, Apple has been much more successful with its iPhones and iPads.
Other researchers at Black Hat said they discovered a way to evade Google’s Bouncer antimalware and get malware into the Google Play Store. They did it by creating a text-message blocking application that used a legitimate programming tool known as java script bridge. (Java script bridge, which is used by a number of companies including Facebook and LinkedIn, allows developers to remotely add new features to a program without utilizing the usual Android update process.)
To demonstrate, the researchers loaded malicious code onto one of their phones and remotely gained control of the Chrome browser. From there it was nothing to download even more malicious code.