printer friendly version

Millions of Android users still at risk

MWR InfoSecurity, an international IT security company, has won the US$30 000 prize at the Mobile Pwn2Own competition held at the EuSecWest Conference in Amsterdam in September.

Four researchers from MWR Labs, the company’s research arm, found critical vulnerabilities in Android which they exploited over the phone’s near field communications (NFC) functionality that could leave millions of users at risk.

IT security researchers from all over the world participated in the competition which is held every year. Nils Sommer and Jonathan Butler from the firm’s UK office and Tyrone Erasmus and Jacques Louw from the company’s South Africa office, exploited a standard, out of the box Samsung Galaxy SIII phone running Android 4.0.4 (Ice Cream Sandwich) by delivering a malicious file over the new S Beam feature, which uses the NFC functionality to send files between two phones.

“The demonstration at Pwn2Own allowed for the full compromise of the Samsung Galaxy SIII phone and installed a Trojan on the device which enabled them to dial any number, gather all SMS, e-mail and data and gain full control of the device,” said Harry Grobbelaar, MD of MWR InfoSecurity South Africa.

The attack was completed in two stages: first using an initial security vulnerability to execute a code on the device and then exploiting a further vulnerability using a customised version of Mercury, MWR’s Android security assessment framework, to take full control of the smartphone.

Researchers sent malformed data to the phone until it crashed, which allowed them to write new code until appropriate conditions to exploit the phone were found, including bypassing randomisation of memory, bypassing non-executable memory protection that Android 4.0.4 Ice Cream Sandwich implements as well as reversing Samsung S-Beam to allow for the effective delivery of the file.

The same vulnerability could also be exploited through other attack vectors, such as malicious websites or e-mail attachments.

Similarly to the issues discovered and reported on in the Galaxy SII, these vulnerabilities again presented themselves due to insecure applications provided by the vendor and shipped with all the handsets.

“As a result of the fast adoption of mobile banking in South Africa and the rest of Africa, it is important that end-users treat their smart-phones as mobile computers and implement the same security measures as they would for a personal computer,” warned Grobbelaar. “The issues we found on the Galaxy SIII will exist on other vendors' phones, this problem is not limited to Samsung.

“Do not click on unrecognised e-mail links, open unknown files, respond to text messages that ask for personal details or call numbers sent in text message requests from unknown numbers as these are known attack vectors that criminals are exploiting. Even though exploitation is getting harder on modern platforms as a result of the use of exploit mitigation techniques, it is still possible with a dedicated team working on it.”

Share this article:

Further reading: