Malicious code can be added to a mobile application that will bypass approval and security checks.
Presenting in the keynote theatre at the RSA Conference in San Francisco, McAfee CTO George Kurtz said that we are in a 'new frontier' when it comes to information security, where we are out of IPv4 addresses, printers have operating systems, the average car has ten million lines of code and malicious code can easily be added to mobile phone applications.
He said: “What about when you can download anything? If you download something from an app store are you assuming it is okay? When do Apple (or Google) have time to go over three million apps with a fine tooth comb?”
Kurtz described an experiment where an app was created that was similar to the popular 'flashlight' app but it actually did a lot more than what users would assume. “There is no doubt that this will go through, if you downloaded it then it will connect to Twitter and look for hashtags to connect to our command and control centre. It can continue to post to the server, as the app regulates with the server and downloads a remote code," he said.
“We did not put this into the app store, we put the app with the code and created a command and control centre backend. The app checks in with this backend server and can steal photos off the phone. We also used it to send an SMS to the Red Cross but we are not donating, the victim is.”
He concluded by saying that the app had taken a week to put together and the point was to demonstrate 'a world that had not been looked at'. “This is one example (of a malicious app) and we have seen it done in the past and it is something that we will continue to see,” he said.
Chris Wysopal, CTO of Veracode, told SC Magazine that mobile app scanning was the most important trend for his company, as people can create fake websites as easily as they can create fake apps that collect credentials.
He said: “Companies are outsourcing the development of their apps so how do they know what is in the code? How can you control the new way of getting data into an organisation? It is out of control, as they do not know what they are running so it is an unknown risk.
“The mobile risk is our main priority, as although we do not see a worm infecting phones, the problem is with security and that space has changed. Worms make a big noise and targeted attacks go undetected.”