Mobiles hijacked without user knowledge

Android is extremely susceptible to malware within its advertisement libraries says FireEye.

Android mobile operating system
Android mobile operating system

FireEye has posted a video showing how hackers can gain control of android mobile devices without the owners' knowledge - even those with Anti-Virus'. The hackers begin the takeover of the device by using adverts (from vulnerable ad libraries such as InMobi) in apps to gain personal data, rather than hacking the Android operating system itself. Once the hackers have gained control of the device, they can easily track the owner's location and find out where they live; they can send texts, make calls, take photos and videos at any time; and make it easier for other hackers to get hold of the device. This is especially worrying for businesses, as hackers could potentially have access to confidential information.

The attack, named ‘Sidewinder VIP attack' uses advertising libraries to steal the location information of victims, which can be used to find specific business areas, such as an office of a CEO. Once the location is found, the target is identified, using the phone's camera and microphone. The attack exploits vulnerabilities, for example, JavaScript binding and loading content over HTTP.

Sarb Sembhi, director at STORM Guidance told SCMagazineUK.com: “Some of the biggest target areas of vulnerabilities are those that enable external access to services, the main one being the libraries that are used to display advertising. This is the first of many attacks we are likely to see on ad libraries and services. The difficulty for users is that free apps rely on advertisements from the ad libraries which are being attacked.  Since Android is owned by Google and Google's business model is based mainly around localised advertising, it is more likely to be a target due to its ad libraries, mass adoption and operating system fragmentation.”

Greg Day at FireEye told SC: “Applications often say what they're doing in a notification before they are downloaded. Someone could see the app permissions and agree to them, without thinking about what they are actually agreeing to. Seemingly innocent things such as permission to use the devices' camera can be leveraged by a third party for a devious purpose. The underlying challenge lies with organisations. When they create their mobile apps, a lot of the time they will seek help from a third party, who will often use libraries in the development. This means that it isn't just one person creating the app; it's a whole supply chain, or ecosystem. Companies need to make sure the coding on the apps is what they wanted, and make sure that the app is as secure as it should be.”

Google, advertisement libraries, and app developers have been notified about related issues in the past, but there still remains millions of possible victims of ‘Sidewinder Targeted Attacks' due to the slow upgrading of Android.