A colleague of mine recently bought her husband a new Android device off of eBay. After receiving the $600 phone, she discovered that it may have been stolen by the person who sold it to her, but thankfully, she can fall back on PayPal’s buyer’s insurance to get her hard-earned money returned.
According to researchers at Rutgers, who are presenting today at the HotMobile 2010 Conference in Maryland, my friend may have in fact been lucky as the fraudulent background of her new device could have saved her husband from potential attacks if the device had actually worked — and skillful cyber criminals had gotten their hands on it first.
While malware attacks carried out against mobile devices remain rare and (as far as we know) thus far fairly benign, the Rutgers computer scientists are demonstrating a new form of potential handheld attack that attempts to use pre-loaded malware, specifically rootkits, to land on user’s smartphones and attempt to steal their data, and subsequently their identities and assets.
In fact, the proof-of-concept being shared by the researchers today shows how attackers could even go so far as to eavesdrop on the conversations of someone whose phone is infected in such a manner.
The added step of needing to physically handle someone’s mobile in order to infect it with malware may be a fairly manual process that’s hard to compare to the ability of attackers to spread their work around the globe via the Web, but the research project illustrates how the rapidly advancing footprint of new handhelds will make it easier in years to come for cyber criminals to target smartphone users.
And attackers may soon also devise threats that can be delivered over the airwaves via Bluetooth and other technologies, the experts point out.
“Smartphones are essentially becoming regular computers,” Vinod Ganapathy, assistant professor of computer science in Rutgers’ School of Arts and Sciences, said in a research summary. “They run the same class of operating systems as desktop and laptop computers, so they are just as vulnerable to attack by malware.”
As the types of so-called High Resolution Version Virtual machine monitors that security analysts use to check for rootkits in full-scale computers do not yet exist yet for smartphones, it would also be very hard for anyone infected using the technique to ever detect it.
One can immediately allow their imagination to travel to the world of cyber-war, 007 and Jason Bourne as you cook up potential uses for the attacks, say, if someone could get their hands on Obama’s BlackBerry, or even the mobile device of a CEO from a large publicly-held company.
And as Rutgers experts point out, in addition to corrupting all the devices applications, from voice to text and the Web, the availability of GPS-enabled phones could also allow for holders of infected devices to be physically tracked some day.
The researchers admit that they are essentially raising a “warning flag” over a form of attack that has not yet been seen in the wild and still remains a fairly complex especially when compared to today’s ubiquitous Web-borne threats.
However, it is important for people and device/service/applications providers to keep such security concerns in mind as they design and support the next-generation of smartphones.
“What we’re doing today is raising a warning flag,” said Rutgers computer science professor Liviu Iftode. “We’re showing that people with general computer proficiency can create rootkit malware for smart phones. The next step is to work on defenses.”
And if living in the nexus of Boston’s massive student community has taught me anything, it’s that college age people likely use and know more about their devices than almost anyone in the world.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.