New mobile attacks can workaround two-factor authentication on Android phones and inject malware onto iOS phones, according to a blog post from Check Point reporting on demonstrations at BlackHat Asia.
Attackers, the post said, can push rogue apps to Android devices of any Google services user. These allow the miscreants to steal incoming text messages. This despite a security feature put in place to block this scheme, namely deactivating the app's broadcast receivers – an Android API – until the user first opens the app.
Hackers get around this defence by replacing a bookmark in the user's devices with a URL redirecting to malicious activity, so attackers bypass two-factor authentication (2FA) and have no need to activate the malware. And, because the attack is launched from a compromised PC browser, access to the device itself is not needed.
In the case of iOS devices, by creating their own spoofed hotspots, attackers can brick devices loaded with versions before 9.3 as these tools are programmed to connect automatically to known Wi-Fi hotspots. Once a iOS device is connected, it continually checks time and date settings via the Network Time Protocol servers. Attackers can brick the device by resetting the time to the 1.1.1970 (epoch zero), an old bug in iOS.
Another iOS vulnerability was demonstrated on non-jailbroken devices running uncertified code signed with a developer certificate. Using readily available open source tools, miscreants can install what appears to be a legitimate app, but in actuality has malware loaded in. When installed, the "bad" app will hide the icon of the legitimate app and so evade standard security protocols as well as dupe the user into accepting it.
The point, the Check Point researchers said, is to use advanced security solutions.