You've probably never stopped to think about all the funny facial expressions you make when you're busy flinging Angry Birds at Bad Piggies, but if your phone has secretly been turned into a "spy phone," then an attacker could tell you because he or she could snap pictures of you as you play. If you don't play Angry Birds, then don't start feeling smug and secure, because it only took about two weeks for security researchers to write malicious code that can be injected into any Android app on the Google Play store. Although this was originally aimed at Android, don't feel left out, iPhone users, as you too can have your phone turned into a "cyber-surveillance" device.
In a Black Hat talk titled "How to Build a SpyPhone," Kevin McNamee, the Director of Alcatel-Lucent's Kindsight Security Labs, demonstrated how to turn your iPhone or Android smartphone into a spy phone that could allow an attacker "to track the phone's location, intercept phone calls and SMS messages, extract e-mail and contact lists, and activate the camera and microphone without being detected." And unless you noticed the app asked for unusual permissions when installed, then you'd never be the wiser and never know your phone was connected to a command-and-control server.
[FROM THE ARCHIVES: Black Hat's Most Notorious Incidents]
One of the first things the malicious and stealthy app does is turn down the phone's volume so you don't hear the camera secretly snapping photos. An attacker could also remotely activate the microphone, which would allow the recording of everything from business meetings to adventures in the bedroom. Although an iPhone shows a preview of videos or pictures, McNamee made the preview show up as only one pixel so no Apple fans would notice it.
McNamee used Angry Birds as the model for a malicious app dubbed DroidWhisperer, and then submitted his version of "Angry Birds" to a third-party app store. After installation, an attacker could text or email your contacts to suggest they too download the app. A hacker/cyberstalker could also map and keep track of your location; it could monitor your social media and web browsing activity as well as your conversations. It sounds about like something the spooks would love to deploy.
"What the hacker sees is both scary and impressively simple," reported VentureBeat. "A small dashboard shows different devices connected to the C&C through the app. He can click on a target phone and data such as the phone number, e-mail address, contact list, unique identifier, and carrier pop up immediately. At the top of the dashboard there are different action buttons to take a picture, record video and audio, and send text messages and push notifications."
"I do think the bad guys are doing something like this, injecting their malicious code into existing apps," McNamee said. "It's pretty straightforward. It requires the ability to unpackage and repackage apps. It's not exceptionally tricky, but it does require some knowledge of how the Android system works."
Kindsight Security Labs previously reported, "It is surprisingly easy to add a command and control interface to allow the attacker to control the device remotely, activating the phone's camera and microphone without the user's knowledge. This enables the attacker to monitor and record business meetings from a remote location. The attacker can even send text messages, make calls or retrieve and modify information stored on the device - all without the user's knowledge."
The report added, "When connected to the company's Wi-Fi, the infected phone provides backdoor access to the network and the ability to probe for vulnerabilities and assets. With these features, an ordinary smartphone becomes the perfect platform for launching advanced persistent threats (APT)."
Like this? Here's more posts:
- You might be a terrorist if...you complain about your tap water
- Microsoft joins ranks of those believing the government is conspiring against them
- Microsoft cites constitutional rights to lift gag orders, tell public about gov’t spying
- Govt's $2.7 million KILL IT WITH FIRE approach to malware: Destroy all hardware
- TSA PreCheck screening includes 3rd-party data-mining you 'so long as it is legal'
- Black Hat snarky tweets as NSA Chief delivered 'Defending Freedom & Civil Liberties' keynote
- Hacking and attacking automated homes
- Hijacking Office 365 and other major services via cookie re-use flaw
- Cross-platform virus spreading as Microsoft expands MAPP program
- Microsoft Research: MoodScope, a context-aware smartphone to sense and share your mood
- USA PRISM Plus, the perfect NSA photo-sharing app for those who have nothing to hide
Follow me on Twitter @PrivacyFanatic